Zero-day Vulnerability Database
Zero-day vulnerabilities discovered: 153
Multiple vulnerabilities in Microsoft Graphics Component
CVE-2016-7256
Memory Corruption
A remote attacker can execute arbitrary code on the target system.
The vulnerability exists due to incorrect handling of objects in memory in Windows font library when processing Open Type fonts. A remote attacker can create a specially crafted font file and cause memory corruption.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on vulnerable system with privileges of the current user.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability started to appear on the radar in June 2016 as it was used in "low-volume attacks primarily focused on targets in South Korea". A successful attack exploited a flaw in the Windows font library to elevate privileges, and to install a backdoor on target systems called Hankray.
Software: Windows
Known/fameous malware:
Trojan Horse Exp.CVE-2016-7256.
Links:
https://technet.microsoft.com/library/security/ms16-132
https://www.symantec.com/security_response/writeup.jsp?docid=2017-011706-2200-99
http://www.securityweek.com/microsoft-patches-windows-zero-day-exploited-russian-hackers
http://www.netsec.news/patch-tuesday-sees-68-microsoft-vulnerabilities-fixed/
https://www.ghacks.net/2017/01/18/microsoft-windows-10-hardening-against-0-day-exploits/
http://www.removesoft-tips.com/exp-cve-2016-7256-removal-guide-how-do-i-remove-exp-cve-2016-7256-com...
https://hotforsecurity.bitdefender.com/blog/if-youre-going-to-use-windows-it-makes-security-sense-to...
http://www.digitaltrends.com/computing/anniversary-update-shielded-against-two-exploits/
http://www.thewindowsclub.com/windows-10-mitigate-zero-day-exploits
http://windowsreport.com/microsoft-windows-10-zero-day-exploit/
Privilege escalation in Windows 10
CVE-2016-7255
Privilege escalation
The vulnerability allows a local user to gain elevated privileges on the target system.
The weakness is due to improper handling of objects in memory by win32k.sys. By sending a specially crafted system call NtSetWindowLongPtr(), a local attacker can set index GWLP_ID to WS_CHILD value on a window handle with GWL_STYLE and execute arbitrary code with system privileges.
Successful explotation of the vulnerability results in privilege escalation.
Note: this vulnerability is being actively exploited in the wild.
The zero-day was being actively exploited by Russian hackers (APT28, Fancy Bear, Pawn Storm, Sednit, Tsar Team, and Sofacy).
Software: Windows
Links:
https://www.symantec.com/security_response/writeup.jsp?docid=2016-110821-3527-99
https://technet.microsoft.com/library/security/ms16-135
https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html
http://www.netsec.news/patch-tuesday-sees-68-microsoft-vulnerabilities-fixed/
https://securingtomorrow.mcafee.com/mcafee-labs/digging-windows-kernel-privilege-escalation-vulnerab...
http://securityaffairs.co/wordpress/53242/hacking/cve-2016-7255-zero-day.html
http://blog.trendmicro.com/trendlabs-security-intelligence/one-bit-rule-system-analyzing-cve-2016-72...
https://cyware.com/news/one-bit-to-rule-a-system-analyzing-cve-2016-7255-exploit-in-the-wild-84cb5e1...
http://www.darkreading.com/endpoint/microsoft-november-security-updates-include-fix-for-zero-day-fla...
https://www.grahamcluley.com/pawn-storm-microsoft-zero-day/
https://nakedsecurity.sophos.com/2016/11/09/november-patch-tuesday-fixes-controversial-windows-0-day...
http://sensorstechforum.com/cve-2016-7255-67-vulnerabilities-addressed-microsoft/
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2016-3298
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The vulnerablity exists due to improper handling of objects in memory by the Internet Messaging API. A remote attacker can create a specially crafted content, trick the victim into opening it, bypass security restrictions and determine the existence of arbitrary files.
Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.
Note: the vulnerability was being actively exploited.
Proofpoint researchers Will Metcalf and Kafeine first detected and reported CVE-2016-3298 in April 2016 as part of a тАЬGooNkyтАЭ infection chain along with CVE-2016-3351, but the information disclosure vulnerability was most likely already in use by the AdGholas group.
CVE-2016-3298 and CVE-2016-3351 were reported to Microsoft between October and December of 2015.
Software: Microsoft Internet Explorer
Known/fameous malware:
Exploit Kit: Neutrino
CVE-2016-3298 and CVE-2016-3351 were reported to Microsoft between October and December of 2015.
Links:
https://www.proofpoint.com/uk/threat-insight/post/microsoft-patches-CVE-2016-3298-second-information...
https://technet.microsoft.com/en-us/library/security/ms16-118.aspx
https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2016-3298-microsoft-fixes-another-ie...
http://securityaffairs.co/wordpress/52186/hacking/microsoft-zero-da.html
https://www.brokenbrowser.com/detecting-local-files-to-evade-analysts/
https://threatpost.com/microsoft-patches-five-zero-days-under-attack/121211/
https://www.scmagazine.com/patch-tuesday-microsoft-patches-five-zero-day-vulnerabilities/article/548...
http://thehackernews.com/2016/10/Microsoft-security-patch-updates.html
https://blog.malwarebytes.com/cybercrime/exploits/2016/08/browser-based-fingerprinting-implications-...
http://www.securityweek.com/attackers-use-internet-explorer-zero-day-avoid-researchers
http://news.softpedia.com/news/microsoft-patches-four-zero-days-used-in-live-attacks-509222.shtml
http://wccftech.com/zero-day-exploited-update-windows-right-away/
https://www.beencrypted.com/attackers-uses-ie-edge-zero-day-avoid-researchers/
Multiple vulnerabilities in Microsoft Windows
CVE-2016-3393
Arbitrary code execution
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in the Graphics Device Interface (GDI) component. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability has been used by an APT group Kaspersky Lab call FruityArmor. Victims have been identified in Thailand, Iran, Algeria, Yemen, Saudi Arabia and Sweden.
Software: Windows
Multiple vulnerabilities in Microsoft Edge
CVE-2016-7189
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in the Scripting Engine when handling malicious files. A remote attacker can create a specially crafted content, trick the victim into downloading it, trigger memory corruption and execute arbitrary code.
Successful exploitation of the vulnerability will result in arbitrary code execution.
Note: the vulnerability was being actively exploited.
Software: Microsoft Edge
Links:
https://technet.microsoft.com/library/security/ms16-119
https://threatpost.com/microsoft-patches-five-zero-days-under-attack/121211/
http://thehackernews.com/2016/10/Microsoft-security-patch-updates.html
http://www.securitynewspaper.com/2016/10/12/microsoft-patches-four-zero-days-used-live-attacks/
http://www.securityweek.com/microsoft-patches-4-vulnerabilities-exploited-wild
https://www.tripwire.com/state-of-security/vulnerability-management/vert-threat-alert-october-2016-p...
http://www.slideshare.net/LANDESK/october2016-patchtuesdayshavlik
http://www.zdnet.com/article/microsoft-hackers-have-exploited-zero-days-in-windows-10s-edge-office-i...
https://www.helpnetsecurity.com/2016/10/12/october-patch-tuesday/
http://www.dailystar.co.uk/tech/news/553358/Microsoft-Windows-10-critical-flaws-security-update-fix-...
Remote code execution in Microsoft Office
CVE-2016-7193
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when handling of malicious RTF files by Microsoft Word. A remote attacker can create a specially crafted RTF document, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability will result in arbitrary code execution.
Note: the vulnerability was being actively exploited.
Software: Microsoft Word
Links:
https://technet.microsoft.com/en-us/library/security/ms16-121.aspx
http://thehackernews.com/2016/10/Microsoft-security-patch-updates.html
https://threatpost.com/microsoft-patches-five-zero-days-under-attack/121211/
https://www.symantec.com/security_response/vulnerability.jsp?bid=93372
http://thehackernews.com/2016/10/Microsoft-security-patch-updates.html
http://www.securitynewspaper.com/2016/10/12/microsoft-patches-four-zero-days-used-live-attacks/
http://www.networkworld.com/article/3130109/security/microsoft-released-10-patches-6-rated-critical-...
https://www.scmagazine.com/patch-tuesday-microsoft-patches-five-zero-day-vulnerabilities/article/548...
http://www.zdnet.com/article/microsoft-hackers-have-exploited-zero-days-in-windows-10s-edge-office-i...
http://securityaffairs.co/wordpress/52186/hacking/microsoft-zero-da.html
https://www.helpnetsecurity.com/2016/10/12/october-patch-tuesday/
https://www.scmagazineuk.com/microsoft-bundles-security-updates--no-more-pick-and-choose/article/547...
Multiple vulnerabilities in Microsoft Internet Explorer and Edge
CVE-2016-3351
Memory corruption
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to boundary error when handling of malicious files. A remote attacker can create a specially crafted content, trick the victim into opening it, trigger memory corruption and gain access to arbitrary data.
Note: the vulnerability was being actively exploited.
Microsoft has known about CVE-2016-3351 since 2015.
Exploited By AdGholas and GooNky Malvertising Groups.
Software: Microsoft Internet Explorer
Exploited By AdGholas and GooNky Malvertising Groups.
Links:
https://www.proofpoint.com/us/threat-insight/post/Microsoft-Patches-Zero-Day-Exploited-By-AdGholas-G...
https://technet.microsoft.com/library/security/ms16-104
https://technet.microsoft.com/library/security/MS16-105
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=29628
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2016-3298-microsoft-fixes-another-ie-...
http://securityaffairs.co/wordpress/51494/hacking/internet-explorer-exploits.html
http://wccftech.com/zero-day-exploited-update-windows-right-away/
https://www.brokenbrowser.com/detecting-local-files-to-evade-analysts/
http://www.securityweek.com/microsoft-patches-browser-vulnerability-exploited-attacks
https://www.scmagazineuk.com/microsoft-bundles-security-updates--no-more-pick-and-choose/article/547...
http://www.securingcomputer.com/news/microsoft-patches-browser-vulnerability-exploited-attacks
http://www.zdnet.com/article/microsoft-patches-critical-ie-bug-that-was-under-attack-for-nearly-thre...
http://techgenix.com/microsoft-patches-ie-malvertising-vulnerability/
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2016-0189
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in the Scripting Engine when handling malicious files. A remote attacker can create a specially crafted content, trick the victim into opening it, trigger memory corruption and execute arbitrary code.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Used to target South Korean organizations.
A banking (Duuzer back door) trojan distributed by Sundown Exploit Kit (EK) to target South Korean organizations. Later it was included into Magnitude and KaiXin EKs.
Software: Microsoft Internet Explorer
Known/fameous malware:
Exploit kit: Magnitude, Neutrino, RIG, Sundown.
A banking (Duuzer back door) trojan distributed by Sundown Exploit Kit (EK) to target South Korean organizations. Later it was included into Magnitude and KaiXin EKs.
Links:
http://theori.io/research/cve-2016-0189
https://github.com/theori-io/cve-2016-0189
https://technet.microsoft.com/library/security/MS16-053
https://technet.microsoft.com/library/security/ms16-051
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0189
http://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html
https://www.symantec.com/security_response/writeup.jsp?docid=2016-061306-3604-99
https://www.symantec.com/connect/blogs/internet-explorer-zero-day-exploit-used-targeted-attacks-sout...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=70147
http://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html
http://blog.trendmicro.com/trendlabs-security-intelligence/may-2016-patch-tuesday-fixes-browser-scri...
https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html
https://www.virusbulletin.com/blog/2017/01/paper-journey-and-evolution-god-mode-2016-cve-2016-0189/
http://www.securityweek.com/microsoft-patches-flaws-exploited-targeted-attacks
http://sensorstechforum.com/may-2016-patch-tuesday-cve-2016-0189-kb3155533-kb3156764/
http://securityaffairs.co/wordpress/54093/intelligence/cnacom-campaign.html
https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise
http://forensicblogs.com/tag/cve-2016-0189/
https://threatpost.com/patched-ie-zero-day-incorporated-into-neutrino-ek/119321/
http://securityaffairs.co/wordpress/49383/cyber-crime/neutrino-ek-ie-flaw.html
http://www.securityweek.com/ie-exploit-added-neutrino-after-experts-publish-poc
http://www.cybersecurity-review.com/internet-explorer-zero-day-exploit-used-in-targeted-attacks-in-s...
http://www.zdnet.com/article/south-korea-victim-of-internet-explorer-zero-day-vulnerability/
http://thecharlestendellshow.com/experts-published-ie-exploit-code-and-crooks-added-it-to-neutrino-e...
https://cybernewsgroup.co.uk/ie-exploit-added-to-neutrino-after-experts-publish-poc/
http://www.networkworld.com/article/3068505/microsoft-fixes-actively-attacked-ie-flaw-and-50-other-v...
https://www.scmagazine.com/patch-tuesday-microsoft-rolls-out-16-bulletins-eight-rated-critical/artic...
http://news.redpiranha.net/Landing-Page-Containing-CVE-2016-0189-Exploit-Code-Used-to-Target-Taiwane...
http://www.darkreading.com/attacks-breaches/windows-0-day-exploit-used-in-recent-wave-of-pos-attacks...
https://securityintelligence.com/news/proof-of-compromise-new-neutrino-exploit-runs-on-research/
https://www.grahamcluley.com/neutrino-exploit-kit-adds-zero-day-flaw-arsenal/
Multiple vulnerabilities in Microsoft Windows
CVE-2016-0167
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to improper handling of objects in memory by the kernel-mode driver. A local attacker can run a specially crafted program, gain elevated privileges and execute arbitrary code with SYSTEM privileges.
Successful exploitation of this vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Used to compromise organizations in the USA and Canada. First attacks were detected in 08.03.2016.
Software: Windows
Known/fameous malware:
PUNCHBABY or PUNCHTRACK Trojan.
Links:
https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Exploit:Win64/CVE-2016...
https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html
https://technet.microsoft.com/library/security/ms16-039 http://www.securitytracker.com/id/1035532
http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-april-11-2016/
http://blog.cybersheath.com/adobe-and-windows-zero-day-exploits-in-the-wild
https://threatpost.com/microsoft-zero-day-exposes-100-companies-to-pos-attack/118026/
https://arstechnica.com/security/2016/05/beware-of-in-the-wild-0day-attacks-exploiting-windows-and-f...
http://sensorstechforum.com/windows-zero-day-exploited-to-steal-credit-card-data-from-us-companies/
http://www.securityweek.com/windows-zero-day-leveraged-financial-attacks
http://www.zdnet.com/article/microsoft-windows-zero-day-exposes-companies-to-crippling-cyberattacks/
Multiple vulnerabilities in Microsoft Windows
CVE-2016-0165
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to improper handling of objects in memory by the kernel-mode driver. A local attacker can run a specially crafted program, gain elevated privileges and execute arbitrary code with SYSTEM privileges.
Successful exploitation of this vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The Badlock vulnerability.
Software: Windows
Links:
https://technet.microsoft.com/en-us/library/security/ms16-039.aspx
https://threatpost.com/fruityarmor-apt-group-used-recently-patched-windows-zero-day/121398/
http://www.networkworld.com/article/3054645/security/microsoft-rated-6-of-13-security-updates-as-cri...
https://securelist.com/blog/research/76396/windows-zero-day-exploit-used-in-targeted-attacks-by-frui...
http://www.infoworld.com/article/3055572/security/dont-let-badlock-distract-you-from-real-vulnerabil...
http://news.softpedia.com/news/microsoft-releases-critical-windows-edge-browser-office-security-upda...
https://www.infosecurity-magazine.com/news/patch-tuesday-badlock-bulletin/
Remote code execution in Microsoft Silverlight
CVE-2016-0034
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to an error when parsing strings with a malicious decoder that can return negative offsets. A remote attacker can create a specially crafted content, trick the victim into opening it, replace unsafe object headers with contents provided by an attacker and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
On July 5, 2015, a large amount of data from one company was leaked to the Internet with a hacker known as тАЬPhineas FisherтАЭ claiming responsibility for the breach.
Software: Microsoft Silverlight
Known/fameous malware:
Used in Angler, Hunter, RIG and Sundown Exploit Kit.
Links:
https://technet.microsoft.com/en-us/library/security/MS16-006
https://securelist.com/blog/research/73255/the-mysterious-case-of-cve-2016-0034-the-hunt-for-a-micro...
https://www.symantec.com/security_response/writeup.jsp?docid=2016-011507-1032-99
http://blog.trendmicro.com/trendlabs-security-intelligence/malvertising-campaign-in-us-leads-to-angl...
http://www.broadanalysis.com/2016/03/21/silverlight-exploit-leads-to-teslacrypt-cve-2016-0034/
http://sensorstechforum.com/attack-involves-silverlight-exploit-cve-2016-0034-angler-ek-and-teslacry...
http://www.securityweek.com/hacking-team-leak-leads-discovery-silverlight-zero-day
http://www.securityweek.com/exploit-recently-patched-silverlight-flaw-added-angler
https://www.trustwave.com/Resources/SpiderLabs-Blog/Sundown-EK-%E2%80%93-Stealing-Its-Way-to-the-Top...
http://securityaffairs.co/wordpress/44774/cyber-crime/angler-ek-silverlight-exploit.html
https://blog.qualys.com/securitylabs/2016/01/14/hunting-for-vulnerable-functions-in-microsoft-silver...
http://www.zdnet.com/article/microsoft-silverlight-exploit-spotted-in-angler-kit/
http://www.zdnet.com/article/kaspersky-lab-discovers-silverlight-zero-day-vulnerability/
http://news.softpedia.com/news/hackers-wasted-their-time-adding-a-silverlight-exploit-to-the-angler-...
https://www.scmagazine.com/as-kaspersky-labs-researchers-predicted-exploits-of-silverlight-vulnerabi...
http://blog.morphisec.com/javascript-in-ie-overtakes-flash-as-number-one-target-for-angler-exploit-k...
https://threatpost.com/new-silverlight-attacks-appear-in-angler-exploit-kit/116409/
https://arstechnica.com/security/2016/02/malicious-websites-exploit-silverlight-bug-that-can-pwn-mac...
http://www.darkreading.com/vulnerabilities---threats/kaspersky-caught-scent-of-silverlight-zero-day-...
Multiple vulnerabilities in Microsoft Windows
CVE-2015-6175
Memory corruption
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to boundary error when handling of objects in kernel memory. A local attacker can execute a specially crafted program, trigger memory corruption and gain SYSTEM privileges.
Successful exploitation of this vulnerability results in privilege escalation on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Windows
Links:
https://www2.trustwave.com/rs/815-RFM-693/images/2016%20Trustwave%20Global%20Security%20Report.pdf
https://technet.microsoft.com/library/security/ms15-135
https://www.symantec.com/security_response/vulnerability.jsp?bid=78514
http://www.securityweek.com/microsoft-patches-windows-office-flaws-exploited-wild
Remote code execution in Microsoft Windows Media Center
CVE-2015-2509
Arbitrary code execution
The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper handling of Media Center link (.mcl) files. A remote attacker can create a specially crafted Media Center link (.mcl) file that references malicious code, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in system compromise.Note: the vulnerability was being actively exploited.
This vulnerability is related to a previously unreported zero-day exploit discovered in the Hacking Team leaked emails. Trend Micro researchers (Aaron Luo, Kenney Lu, and Ziv Chang) discovered the exploit and subsequently reported their findings to Microsoft.
Software: Windows Media Center
Links:
https://www2.trustwave.com/rs/815-RFM-693/images/2016%20Trustwave%20Global%20Security%20Report.pdf
http://blog.trendmicro.com/trendlabs-security-intelligence/windows-media-center-hacking-team-bug-fix...
https://technet.microsoft.com/library/security/ms15-100
http://www.cio.com/article/2982358/microsoft-patches-yet-another-hacking-team-zero-day-exploit.html
http://blog.trendmicro.com/trendlabs-security-intelligence/windows-media-center-hacking-team-bug-fix...
http://resources.infosecinstitute.com/exploiting-ms15-100-cve-2015-2509/#gref
http://www.csoonline.com/article/2982487/vulnerabilities/microsoft-patches-yet-another-hacking-team-...
http://securityaffairs.co/wordpress/40019/hacking/windows-media-center-ht-bug.html
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/FILEFORMAT/MS15_100_MCL_EXE
https://www.symantec.com/security_response/vulnerability.jsp?bid=76594
http://www.pcworld.com/article/2982361/microsoft-patches-yet-another-hacking-team-zero-day-exploit.h...
Multiple vulnerabilities in Microsoft Windows
CVE-2015-2546
Memory corruption
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists due to boundary error in ATMFD.dll in Win32k.sys. A local attacker can execute a specially crafted program, trigger memory corruption and gain SYSTEM privileges.
Successful exploitation of the vulnerability may result in full control of the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was reported by FireEye researcher Wang Yu.
Software: Windows
Links:
https://technet.microsoft.com/en-us/library/security/ms15-097
https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf
https://www.symantec.com/security_response/vulnerability.jsp?bid=76608
https://krebsonsecurity.com/2015/09/microsoft-pushes-a-dozen-security-updates/
http://www.securityweek.com/microsoft-patches-windows-vulnerability-exploited-wild
https://www.scmagazine.com/microsoft-fixes-several-bugs-on-patch-tuesday-two-being-actively-exploite...
https://www.helpnetsecurity.com/2015/09/09/microsoft-pushes-out-security-updates-plugs-holes-activel...
https://threatpost.com/microsoft-patches-graphics-component-flaw-under-attack/114575/
http://www.securitynewspaper.com/2015/09/09/microsoft-patches-graphics-component-flaw-under-attack/
Multiple vulnerabilities in Microsoft Office
CVE-2015-2545
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when parsing malformed images. A remote attacker can create a file containing a specially crafted image file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
CVE-2015-2545 fuels around 17% of attacks in Microsoft Office.
Used to target organisations in China.
Software: Microsoft Office
Used to target organisations in China.
Links:
https://technet.microsoft.com/en-us/library/security/ms15-099
https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf
http://pwc.blogs.com/cyber_security_updates/2016/05/exploring-cve-2015-2545-and-its-users.html
https://threatpost.com/apt-groups-finding-success-with-patched-microsoft-flaw/118298/
http://www.securityweek.com/year-old-office-vulnerabilities-most-popular-current-attacks
https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/
https://www.symantec.com/security_response/vulnerability.jsp?bid=76667
https://blogs.sophos.com/2016/07/18/cybercriminals-shift-their-tactics-for-microsoft-office-document...
https://www.threatconnect.com/blog/word-document-trojan-exploiting-cve/
http://www.itworldcanada.com/article/exploit-kits-now-adopting-recent-office-vulnerabilities-report/...
https://www.scmagazine.com/microsoft-fixes-several-bugs-on-patch-tuesday-two-being-actively-exploite...
http://blog.morphisec.com/exploit-bypass-emet-cve-2015-2545
http://news.softpedia.com/news/one-microsoft-office-exploit-has-become-very-popular-with-cyber-espio...
http://news.softpedia.com/news/ke3chang-is-back-and-it-s-targeting-indian-embassies-around-the-globe...
Remote code execution in Microsoft Internet Explorer
CVE-2015-2502
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error when handling Javascript and HTML tables within the layout cache. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability has been exploited in watering hole attacks against compromised website belonging to an evangelical church in Hong Kong to deliver Korplug malware.
Software: Microsoft Internet Explorer
Known/fameous malware:
Korplug malware.
Links:
https://technet.microsoft.com/library/security/MS15-093
http://www.securityweek.com/microsoft-issues-emergency-patch-critical-ie-flaw-exploited-wild
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28195
https://www.alienvault.com/blogs/security-essentials/internet-explorer-memory-corruption-vulnerabili...
https://www.tripwire.com/state-of-security/vulnerability-management/ie-under-attack-microsoft-releas...
https://krebsonsecurity.com/2015/08/microsoft-pushes-emergency-patch-for-ie/
https://www.redpacketsecurity.com/cve-2015-2502-microsoft-issues-emergency-patch-for-all-versions-of...
https://blog.qualys.com/laws-of-vulnerabilities/2015/08/18/ms15-093--oob-fix-for-internet-explorer
https://arstechnica.com/security/2015/08/microsoft-issues-emergency-patch-for-critical-ie-bug-under-...
https://www.scmagazine.com/microsoft-patches-critical-remote-code-execution-bug-in-internet-explorer...
https://www.symantec.com/connect/tr/blogs/new-internet-explorer-zero-day-exploited-hong-kong-attacks
https://malwarelist.net/tag/zero-day-vulnerability/
http://www.darkreading.com/attacks-breaches/ie-bug-exploited-in-wild-after-microsoft-releases-out-of...
http://thehackernews.com/2015/08/microsoft-emergency-patch-zero-day-internet-explorer.html
Multiple vulnerabilities in Microsoft Office
CVE-2015-1642
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing Microsoft Office documents. A remote unauthenticated attacker can create a specially crafted Office document, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability was discovered by Yong Chuan, Koh of MWR Labs.
Software: Microsoft Office
Links:
https://technet.microsoft.com/en-us/library/security/ms15-081.aspx
https://www.symantec.com/security_response/vulnerability.jsp?bid=76200
https://www.nccgroup.trust/uk/our-research/understanding-microsoft-word-ole-exploit-primitives/
https://labs.mwrinfosecurity.com/advisories/microsoft-office-ctasksymbol-use-after-free-vulnerabilit...
http://blog.trendmicro.com/trendlabs-security-intelligence/august-patch-tuesday-includes-update-for-....
Privilege escalation in Microsoft Windows
CVE-2015-1769
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to improper processing of symbolic links by Mount Manager. By inserting a specially crafted USB device into the system, an attacker can create arbitrary files and execute malicious code with SYSTEM privileges.
Successful exploitation of this vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Attackers used USB to infect computers with the malware at the Natanz uranium enrichment facility in Iran.
The .LNK vulnerability was also exploited by the Equation Group, uncovered by researchers at Kaspersky Lab.
Software: Windows
Known/fameous malware:
Fanny
The .LNK vulnerability was also exploited by the Equation Group, uncovered by researchers at Kaspersky Lab.
Links:
https://technet.microsoft.com/en-us/library/security/ms15-085.aspx https://blogs.technet.microsoft.com/srd/2015/08/11/defending-against-cve-2015-1769-a-logical-issue-e...
https://cdn4.esetstatic.com/eset/US/resources/docs/white-papers/Windows_Exploitation_in_2015.pdf
https://threatpost.com/microsoft-patches-usb-related-flaw-used-in-targeted-attacks/114240/
https://threats.kaspersky.com/en/vulnerability/KLA10646/
https://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000786.aspx
http://www.securityweek.com/microsoft-adobe-patch-dozens-security-vulnerabilities
Remote code execution in Microsoft Windows
CVE-2015-2426
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to buffer overflow in Windows Adobe Type Manager library when processing OpenType fonts. A remote attacker can create a specially crafted document or website with embedded malicious OpenType font, trick the victim into opening it, cause memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: the vulnerability was being actively exploited.
The exploit code was revealed after Hacking Team data leak.
The vulnerability was reported by FireEye's Genwei Jiang and Google Project Zero's Mateusz Jurczyk.
The vulnerability has being exploited by Eugene Ching of Qavar Security on the January 2015.
Software: Windows
The vulnerability was reported by FireEye's Genwei Jiang and Google Project Zero's Mateusz Jurczyk.
The vulnerability has being exploited by Eugene Ching of Qavar Security on the January 2015.
Links:
http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-leak-uncovers-another-window...
https://www.host-stage.net/blog/security-issue-adobe-type-manager-cve-2015-2426-patched/
https://ae.norton.com/security_response/print_writeup.jsp?docid=2015-072114-5203-99
https://www.carbonblack.com/2015/07/24/using-bit9-to-mitigate-ms15-078cve-2015-2426/
https://www.nccgroup.trust/uk/our-research/exploiting-cve-2015-2426-and-how-i-ported-it-to-a-recent-...
https://www.tripwire.com/state-of-security/vulnerability-management/vert-threat-alert-july-20-2015/
http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-the-open-type-font-manager-vuln...
https://www.symantec.com/connect/blogs/leaked-hacking-team-windows-vulnerability-could-facilitate-re...
http://www.computerworld.com/article/2949589/malware-vulnerabilities/microsoft-patches-windows-zero-...
https://googleprojectzero.blogspot.com/2016/06/a-year-of-windows-kernel-font-fuzzing-1_27.html
https://www.beyondtrust.com/blog/microsoft-patches-a-critical-vulnerability-in-adobe-type-manager-fo...
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2015-2425
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can create a specially crafted Web-site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The exploit code was revealed after Hacking Team data leak.
Software: Microsoft Internet Explorer
Links:
http://blog.trendmicro.com/trendlabs-security-intelligence/gifts-from-hacking-team-continue-ie-zero-...
https://arstechnica.com/security/2015/07/ms-kills-critical-ie-11-bug-after-exploit-was-shopped-to-ha...
http://blog.vectranetworks.com/blog/microsoft-internet-explorer-11-zero-day
http://www.eweek.com/security/adobe-microsoft-and-oracle-patch-for-hacking-team-flaws.html
https://www.symantec.com/security_response/writeup.jsp?docid=2015-072010-0655-99&tabid=2
Arbitrary code execution in Microsoft Windows
CVE-2015-2387
Memory corruption
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists due to boundary error in the Adobe Type Manager module (ATMFD.dll). A local attacker can execute a specially crafted application, trigger memory corruption, bypass OS-level sandboxing and execute arbitrary code with SYSTEM privileges.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.The exploit code was revealed after Hacking Team data leak.
Public exploit code for this vulnerability became available as part of the Hacking Team leaks on July 5, 2015.
Software: Windows
Public exploit code for this vulnerability became available as part of the Hacking Team leaks on July 5, 2015.
Links:
https://technet.microsoft.com/en-us/library/security/ms15-077.aspx http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-the-open-type-font-manager-vuln...
http://www.securityweek.com/microsoft-patches-hacking-team-zero-days-other-vulnerabilities
https://countuponsecurity.com/2015/07/24/hacking-team-arsenal-of-cyber-weapons/
https://securingtomorrow.mcafee.com/business/security-connected/microsoft-patch-tuesday-july-2015/
http://www.bankinfosecurity.com/hacking-team-dump-windows-zero-day-a-8404
https://www.secureworks.com/blog/targeted-exploit-and-escalation
Remote code execution in Microsoft Office
CVE-2015-2424
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to heap-based buffer overflow when processing Office files. A remote attacker can create a specially crafted Office file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability reffers to the APT28 and Operation Pawn Storm and was used in cyber espionage campaign by Tsar Team.
Software: Microsoft Office
Known/fameous malware:
Trojan.Win32.Sofacy.
Links:
https://technet.microsoft.com/en-us/library/security/ms15-070.aspx
http://resources.infosecinstitute.com/the-shadow-of-the-russian-cyber-army-behind-the-2016-president...
https://www.trustwave.com/Resources/SpiderLabs-Blog/Tsar-Team-Microsoft-Office-Zero-Day-CVE-2015-242...
https://www.symantec.com/security_response/vulnerability.jsp?bid=75744
http://www.securityweek.com/microsoft-patches-office-zero-day-bug-used-apt-group
Multiple vulnerabilities in Microsoft Windows
CVE-2015-2360
Memory corruption
The vulnerability allows a local attacker to obtain elevated privileges on the target system.The weakness exists due to boundary error. A local attacker can run a specially crafted program to trigger memory corruption and acquire administrative privileges.
Successful exploitation of the vulnerability results in privilege escalation on the vulnerable system.
Note: the vulnerability was being actively exploited.
Expoited by Duqu 2.0 and used in attack against the Kaspersky Lab to hack their internal networks in early spring 2015.
Software: Windows
Links:
https://technet.microsoft.com/en-us/library/security/ms15-061.aspx
https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-ac...
http://securityaffairs.co/wordpress/37714/cyber-crime/duqu-2-0-hit-kaspersky.html
http://blog.trendmicro.com/trendlabs-security-intelligence/analysis-of-cve-2015-2360-duqu-2-0-zero-d...
https://www.symantec.com/security_response/vulnerability.jsp?bid=75025
http://blog.ensilo.com/ms-patch-tuesday-a-look-into-4-vulnerabilities-in-the-windows-kernel
https://www.virusbulletin.com/conference/vb2015/abstracts/duqu-2-0-win32k-exploit-analysis/
http://usa.kaspersky.com/about-us/press-center/press-releases/2015/duqu-back-kaspersky-lab-reveals-c..
https://blogs.bromium.com/2015/06/16/duqu-2-0-whos-the-lord-of-ring0/
Multiple vulnerabilities in Microsoft Windows
CVE-2015-1701
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists due to improper access control. A local attacker can create a specially crafted application, execute a callback in userspace and use data from the System token to execute arbitrary code on the system with root privileges.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.The vulnerability was combined with CVE-2015-3043 to perform Operation "Russian Doll".
Exploited by RussiaтАЩs APT28 (Fancy Bear APT) in cyber espionage campaign on the U.S defense contractors, European security companies and Eastern European government entities.
Software: Windows
Exploited by RussiaтАЩs APT28 (Fancy Bear APT) in cyber espionage campaign on the U.S defense contractors, European security companies and Eastern European government entities.
Links:
https://technet.microsoft.com/en-us/library/security/ms15-051
https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html http://resources.infosecinstitute.com/the-shadow-of-the-russian-cyber-army-behind-the-2016-president...
http://blog.trendmicro.com/trendlabs-security-intelligence/exploring-cve-2015-1701-a-win32k-elevatio...
https://www.symantec.com/security_response/vulnerability.jsp?bid=74245
https://www.reddit.com/r/microsoft/comments/334zyo/russia_use_unpatched_cve20151701_in/
https://thehacktimes.com/cyber-espionage-operation-russian-doll/
http://www.eweek.com/security/russian-based-attackers-use-two-zero-days-in-one-attack.html
Multiple vulnerabilities in Microsoft Office
CVE-2015-1641
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error when handling rich text format files. A remote attacker can create a specially crafted RTF document, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability accounts for nearly 66% of attacks using Office Word.
APT attacks, targeting Tibetans, Uyghurs, human rights groups in Taiwan and Hong Kong, and journalists.
Software: Microsoft Office
APT attacks, targeting Tibetans, Uyghurs, human rights groups in Taiwan and Hong Kong, and journalists.
Links:
https://technet.microsoft.com/en-us/library/security/ms15-033.aspx
http://www.securityweek.com/year-old-office-vulnerabilities-most-popular-current-attacks
https://degsew.wordpress.com/2016/03/28/new-microst-office-word-2007-2013-exploit-cve-2015-1641-anal...
http://news.softpedia.com/news/cve-2015-1641-and-cve-2015-2545-are-today-s-most-popular-microsoft-wo...
http://www.securityweek.com/spear-phishing-attacks-target-industrial-firms-kaspersky-lab-ics-cert
http://www.securitynewspaper.com/2016/07/19/cve-2015-1641-cve-2015-2545-todays-popular-microsoft-wor...
Two remote code execution vulnerabilities in Microsoft Windows
CVE-2015-0096
Insecure dll. library loading
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the way Microsoft Windows parses shortcuts. A remote attacker can place a specially crafted .dll file along with an icon file on a remote SMB or WebDav share, trick the victim into opening that document and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability was being actively exploited.
According to Trustwave it is a zero-day.
Vulnerability CVE-2015-0096 is a continuation of CVE-2010-2568, which was believed to have been patched by MS10-046. However, it was not completely and we see this with MS15-018. At the time of the patch release there were fully functional exploits for this particular vulnerability.
Software: Windows
Vulnerability CVE-2015-0096 is a continuation of CVE-2010-2568, which was believed to have been patched by MS10-046. However, it was not completely and we see this with MS15-018. At the time of the patch release there were fully functional exploits for this particular vulnerability.
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2015-0071
Security bypass
The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to failure to use Address Space Layout Randomization (ASLR). A remote attacker can create a specially crafted Web site, trick the victim into visiting it, bypass ASLR mechanism and predict memory locations that if connected with another vulnerability allows to execute arbitrary code.
Successful exploitation of this vulnerability results in security bypass on the vulnerable system.
Note: the vulnerability was being actively exploited.
Allegedly, Chinese hackers combined it with a remote-code execution vulnerability in Adobe Flash to infect visitors to the Forbes website with malware since November, 2014.
Software: Microsoft Internet Explorer
Known/fameous malware:
JS:CVE-2015-0071-A.
Links:
https://technet.microsoft.com/library/security/ms15-009
https://cdn4.esetstatic.com/eset/US/resources/docs/white-papers/Windows_Exploitation_in_2015.pdf
https://www.symantec.com/security_response/vulnerability.jsp?bid=72455
http://blog.trendmicro.com/trendlabs-security-intelligence/bypassing-aslr-with-cve-2015-0071-an-out-...
https://www.invincea.com/2015/02/chinese-espionage-campaign-compromises-forbes/
http://www.theregister.co.uk/2015/02/10/patch_tuesday_release_fixes_unprecedented_zeroday_design_fla...
https://www.hackread.com/hackers-use-flash-and-ie-to-target-forbes-visitors/
https://arstechnica.com/security/2015/02/pwned-in-7-seconds-hackers-use-flash-and-ie-to-target-forbe...
http://www.securityweek.com/microsoft-patches-critical-windows-internet-explorer-vulnerabilities-pat...
http://www.threatgeek.com/2016/05/turbo-twist-two-64-bit-derusbi-strains-converge.html
https://www.scmagazine.com/forbescom-attackers-exploited-zero-days-in-flash-ie/article/536348/
https://arstechnica.com/security/2015/02/pwned-in-7-seconds-hackers-use-flash-and-ie-to-target-forbe...
Cross-site scripting in Microsoft Internet Explorer
CVE-2015-0072
Cross-site scripting
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.The vulnerability exists due to insufficient sanitization of user-input passed via vectors involving an IFRAME element. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in userтАЩs browser in context of another website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: the vulnerability was being actively exploited.
CVE-2015-0072 was apparently reported to Microsoft on Oct. 13, 2014, however David Leo disclosed the details of this vulnerability to the popular Full Disclosure security mailing list on Jan. 31, 2015.
Software: Microsoft Internet Explorer
Known/fameous malware:
Exploit: HTML/CVE-2015-0072.A
Links:
https://technet.microsoft.com/library/security/ms15-018
http://www.pcworld.com/article/2879372/dangerous-ie-vulnerability-opens-door-to-powerful-phishing-at...
https://nakedsecurity.sophos.com/2015/02/04/internet-explorer-has-a-cross-site-scripting-zero-day-bu...
https://blogs.forcepoint.com/security-labs/another-day-another-zero-day-%E2%80%93-internet-explorers...
http://22by7.helpserve.com/News/NewsItem/View/5773/another-day-another-zero-day--internet-explorers-...
Privilege escalation in Microsoft Windows
CVE-2015-0016
Path traversal
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to insufficient validation of user-supplied input within TS WebProxy Windows component. A remote attacker can trick the victim into downloading a specially crafted file and execute it with privileges of the current user.
Successful exploitation of the vulnerability may result in full control of the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was being used in CNACOM campaign targeting government organization in Taiwan.
Software: Windows
Known/fameous malware:
Exploit.Win32.CVE-2015-0016.
Links:
https://technet.microsoft.com/library/security/ms15-004
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2015-0016-escaping-the-internet-explo...
https://www.symantec.com/security_response/vulnerability.jsp?bid=71965
http://www.securityweek.com/china-linked-spies-target-taiwan-ie-exploit
http://securityaffairs.co/wordpress/33153/cyber-crime/fessleak-malvertising-campaign.html
http://securityaffairs.co/wordpress/54093/intelligence/cnacom-campaign.html
Privilege escalation in Microsoft Windows
CVE-2014-6324
Privilege escalation
The vulnerability allows a remote authenticated attacker to obtain elevated privileges on the target system.The weakness exists due to the failure to properly validate signatures in the Kerberos ticket by the Microsoft Kerberos KDC implementation. A remote attacker can forge a ticket and elevate an unprivileged domain user account to a domain administrator account.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Exploited by Duqu.
The vulnerability was reported by Qualcomm Information Security & Risk Management team.
Software: Windows
The vulnerability was reported by Qualcomm Information Security & Risk Management team.
Links:
https://technet.microsoft.com/library/security/MS14-068
https://blogs.technet.microsoft.com/srd/2014/11/18/additional-information-about-cve-2014-6324/
http://securityaffairs.co/wordpress/30320/security/microsoft-patch-kerberos-bug.html
https://www.symantec.com/security_response/vulnerability.jsp?bid=70958
https://www.netiq.com/communities/cool-solutions/detecting-windows-kerberos-implementation-elevation...
Privilege escalation in Microsoft Windows
CVE-2014-4077
Privilege escalation
The vulnerability allows a remote authenticated attacker to obtain elevated privileges on the target system.The weakness exists due to improper access control in Microsoft implementation of Input Method Editor (IME) for Japanese language. A remote attacker can create a specially crafted file designed to invoke a vulnerable sandboxed application, trick the victim into opening it, gain elevated privileges and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
CVE-2014-4077 used in targeted attack in the wild to bypass Adobe Reader Sandbox via binary hijacking using malicious DIC file.
Software: Windows
Remote code execution in Microsoft Windows
CVE-2014-6352
Code injection
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to an error when handling malicious Office files. A remote attacker can create a specially crafted Microsoft Office file containing the malicious OLE object, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Microsoft first received information about this vulnerability through coordinated vulnerability disclosure. Zero-day was initially found and reported to McAfee by James Forshaw of Google Project Zero.
The vulnerability is publicly known as "Sandworm" and has been exploited by the Chinese against Taiwan.
Software: Windows
Known/fameous malware:
Trojan.Mdropper. (Symantec).
The vulnerability is publicly known as "Sandworm" and has been exploited by the Chinese against Taiwan.
Links:
https://technet.microsoft.com/en-us/library/security/ms14-064
http://blog.trendmicro.com/trendlabs-security-intelligence/microsoft-windows-hit-by-new-zero-day-att...
https://malwarelist.net/2014/10/22/cve-2014-6352-critical-vulnerability-in-microsoft-windows/
https://www.symantec.com/connect/blogs/attackers-circumvent-patch-windows-sandworm-vulnerability
http://www.theregister.co.uk/2014/10/22/powerpoint_attacks_exploit_ms_0day/
http://www.computerworld.com/article/2837084/microsoft-misses-windows-bug-hackers-slip-past-patch.ht...
https://nakedsecurity.sophos.com/2014/10/24/has-the-sandworm-exploit-burrowed-back/
http://www.eweek.com/security/microsoft-patches-33-vulnerabilities-in-november-patch-tuesday-update....
https://techtalk.gfi.com/the-lesson-of-sandworm-patched-but-not-protected/
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2014-4123
Privilege escalation
The vulnerability allows a remote attacker to obtain elevated privileges on the target system.The weakness exists due to the failure to properly validate permissions. A remote attacker can gain elevated privileges and execute arbitrary code on the affected system.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
CrowdStrike first detected the attacks in spring.
The zero-day reported by CrowdStrike was also reported by FireEye.
The issue has been introduced in 07/27/2005.
The vulnerability was handled as a non-public zero-day exploit for at least 3366 days.
Exploited by Hurricane Panda.
Software: Microsoft Internet Explorer
The zero-day reported by CrowdStrike was also reported by FireEye.
The issue has been introduced in 07/27/2005.
The vulnerability was handled as a non-public zero-day exploit for at least 3366 days.
Exploited by Hurricane Panda.
Links:
https://blogs.technet.microsoft.com/srd/2014/10/14/assessing-risk-for-the-october-2014-security-upda...
https://technet.microsoft.com/library/security/ms14-056
https://blog.qualys.com/laws-of-vulnerabilities/2014/10/14/october-2014-patch-tuesday
https://www.symantec.com/security_response/vulnerability.jsp?bid=70326
http://www.darkreading.com/attacks-breaches/hurricane-panda-cyberspies-used-windows-zero-day-for-mon...
https://computerobz.wordpress.com/2014/10/22/october-2014-patch-tuesday-addresses-four-active-zero-d...
Remote code execution in Microsoft Windows
CVE-2014-4148
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to improper input validation when processing TrueType fonts in kernel-mode driver (win32k.sys). A remote attacker can create a specially crafted font file, place it on a web page, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was highly exploited by advanced adversary group named HURRICANE PANDA.
Software: Windows
Links:
https://www.fireeye.com/blog/threat-research/2014/10/two-targeted-attacks-two-new-zero-days.html
https://technet.microsoft.com/en-us/library/security/ms14-058.aspx
http://security.stackexchange.com/questions/92164/the-way-vulnerabilities-like-cve-2014-4148-are-dis...
https://www.scmagazine.com/zero-day-attackers-exploit-windows-kernel-patch-tuesday-brings-fix/articl...
http://www.securityweek.com/multiple-patch-tuesday-vulnerabilities-under-attack
http://www.capitalcomputercentre.com/best-way-to-remove-s3traypd-exeexp-cve-2014-4148-exp-cve-2014-4...
Remote code execution in Microsoft Windows
CVE-2014-4114
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to an error when processing OLE objects. A remote attacker can create a specially crafted OLE object, attach it to a document (e.g. PowerPoint file), trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The zero-day vulnerability is being claimed to have been used in early September in possible campaigns against NATO, Ukrainian government
organizations, Western European government organization, Energy Sector firms (specifically in Poland), European telecommunications firms, United States academic organizations.
Files in the SandWorm exploit hilighted by iSIGHT Partners include a malicious executable from a known malware family, namely the BlackEnergy Trojan.
Software: Windows
Known/fameous malware:
Dyreza Trojan.
SandWorm
BlackEnergy Trojan.
Files in the SandWorm exploit hilighted by iSIGHT Partners include a malicious executable from a known malware family, namely the BlackEnergy Trojan.
Links:
https://technet.microsoft.com/en-us/library/security/ms14-060
http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-windows-zero-day-vulnerabi...
https://citizenlab.org/2015/06/targeted-attacks-against-tibetan-and-hong-kong-groups-exploiting-cve-...
http://security.stackexchange.com/questions/70894/windows-ole-vulnerability-cve-2014-4114-sandworm
http://thehackernews.com/2014/10/microsoft-windows-zero-day_13.html
https://www.cyphort.com/cve-2014-4114-sandworm-worm/
https://www.symantec.com/security_response/writeup.jsp?docid=2014-102322-3150-99
https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploi...
https://threatpost.com/dyreza-banker-trojan-attackers-exploiting-cve-2014-4114-windows-flaw/109071/
Privilege escalation in Microsoft Windows
CVE-2014-4113
Privilege escalation
The vulnerability allows a local attacker to obtain elevated privileges on the target system.The weakness exists due to improper handling of objects in memory by kernel-mode driver (win32k.sys). A local attacker can run a specially crafted application to gain elevated privileges and take complete control of the system.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was apparently found and reported to Microsoft by both ╨бrowdStrike and FireEye.
The vulnerability has been actively exploited in the wild for at least five month by highly advanced adversary group named HURRICANE PANDA.
Software: Windows
Known/fameous malware:
Nuclear Exploit Kit.
The vulnerability has been actively exploited in the wild for at least five month by highly advanced adversary group named HURRICANE PANDA.
Links:
https://technet.microsoft.com/en-us/library/security/ms14-058
https://dl.packetstormsecurity.net/papers/attack/CVE-2014-4113.pdf
https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-expl...
https://www.fireeye.com/blog/threat-research/2014/10/two-targeted-attacks-two-new-zero-days.html
http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vuln...
http://securityaffairs.co/wordpress/29270/security/microsoft-fixes-3-zero-day.html
http://www.securityweek.com/multiple-patch-tuesday-vulnerabilities-under-attack
https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-lab-exploiting-cve-2014-4113.pdf
Information disclosure in Microsoft Internet Explorer
CVE-2013-7331
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to information disclosure vulnerability in Microsoft XMLDOM ActiveX component. A remote attacker can create a specially crafted Web page, trick the victim into visiting it and check for the presence of local drive letters, directory names, files, as well as internal network addresses or websites.
Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.
Note: the vulnerability was being actively exploited.
PoC-code for this vulnerability was available since at least April 25, 2013.
Software: Microsoft Internet Explorer
Known/fameous malware:
Exploit kits: Angler, Rig, Nuclear, Styx.
Links:
https://technet.microsoft.com/en-us/library/security/ms14-052.aspx
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=70103
http://www.securityweek.com/microsoft-patches-internet-explorer-vulnerability-targeted-attackers
http://www.pcworld.com/article/2604688/internet-explorer-steals-the-patch-tuesday-spotlight-again.ht...
http://www.csoonline.com/article/2607297/data-protection/microsoft-patch-fixed-ie-flaw-used-against-...
https://securelist.com/blog/software/66474/microsoft-updates-september-2014-apt-loses-a-trick-remini...
https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-evolution-of-...
https://labs.bromium.com/2014/09/16/pirates-of-the-internetz-the-curse-of-the-waterhole/
https://www.scmagazine.com/watering-hole-attack-targets-website-visitors-of-oil-and-gas-start-up/art...
http://www.scmagazineuk.com/rsa-2016-fingerprinting-the-latest-twist-used-for-malvertising-attacks/a...
Privilege escalation in Microsoft Internet Explorer
CVE-2014-2817
Privelege escalation
The vulnerability allows a remote attacker to obtain elevated privileges on the target system.The weakness exists due to the failure to properly validate permissions. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, gain elevated privileges and execute arbitrary code on the affected system.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft Internet Explorer
Security bypass in Microsoft Office
CVE-2014-1809
Security bypass
The vulnerability allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to improper implementation of Address Space Layout Randomization (ASLR) features in MSCOMCTL. By persuading a victim to visit a specially-crafted Web site or open an application or Office document with a specially-crafted ActiveX control embedded within it, an attacker could exploit this vulnerability to bypass ASLR and execute another attack that otherwise would have been blocked by ASLR.
Successful exploitation of the vulnerability results in security bypass on the vulnerable system.
Note: the vulnerability was being actively exploited.
The issue has been introduced in 01/30/2007.
Software: Microsoft Office
Privilege escalation in Microsoft Windows
CVE-2014-1812
Privilege escalation
The vulnerability allows a remote authenticated attacker to obtain elevated privileges on the target system.The weakness exists due to the method passwords are distributed when configured using group policy preference. A remote authenticated attacker can obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Windows
Links:
https://technet.microsoft.com/en-us/library/security/ms14-025
https://dirteam.com/sander/2014/05/23/security-thoughts-passwords-in-group-policy-preferences-cve-20...
https://www.tripwire.com/state-of-security/vulnerability-management/vert-alert-may-2014-microsoft-pa...
https://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000604.aspx
Two remote code execution vulnerabilities in Microsoft Internet Explorer
CVE-2014-1815
тАЬUse-after-freeтАЭ error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
CVE-2014-1815 was reported to Microsoft by Clement Lecigne, a security engineer who works for Google in its Swiss office.
The vulnerability was used in the phishing campaign started on or about July 21, 2014 and primarily targeting the energy industry.
Software: Microsoft Internet Explorer
The vulnerability was used in the phishing campaign started on or about July 21, 2014 and primarily targeting the energy industry.
Links:
https://technet.microsoft.com/en-us/library/security/ms14-029
https://www.symantec.com/security_response/writeup.jsp?docid=2014-051503-4437-99
https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=721
http://researchcenter.paloaltonetworks.com/2014/07/beginning-end-use-free-exploitation/
http://blog.trendmicro.com/trendlabs-security-intelligence/may-2014-patch-tuesday-rolls-out-8-bullet...
http://www.securityweek.com/microsoft-adobe-patch-critical-security-vulnerabilities
Privilege escalation in Microsoft Windows
CVE-2014-1807
Privilege escalation
The vulnerability allows a local attacker to obtain elevated privileges on the target system.The weakness exists due to improper use of the ShellExecute API function. A local attacker can run a specially crafted application within the context of the Local System account and gain elevated privileges.
Successful exploitation of the vulnerability results in privilege escalation on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Windows
Remote code execution in Microsoft Internet Explorer
CVE-2014-1776
тАЬUse-after-freeтАЭ error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability uses a heap-spray technique. Used in Pawn Storm campaign.
Used by APT groups.
Software: Microsoft Internet Explorer
Used by APT groups.
Links:
https://technet.microsoft.com/en-US/library/security/2963983
https://technet.microsoft.com/en-us/library/security/ms14-021.aspx
https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explore...
https://blog.fortinet.com/2014/05/27/a-technical-analysis-of-cve-2014-1776
https://www.symantec.com/connect/blogs/emerging-threat-microsoft-internet-explorer-zero-day-cve-2014...
https://support.norton.com/sp/en/us/home/current/solutions/v98738922_EndUserProfile_en_us
https://www.trustwave.com/Resources/SpiderLabs-Blog/Microsoft-Internet-Explorer-0-Day-(CVE-2014-1776...
https://www.cyphort.com/dig-deeper-ie-vulnerability-cve-2014-1776-exploit/
http://researchcenter.paloaltonetworks.com/2014/05/tale-3-vulnerabilities-cve-2014-1776-exploit-link...
http://blog.trendmicro.com/trendlabs-security-intelligence/internet-explorer-zero-day-hits-all-versi...
https://www.beyondtrust.com/blog/internet-explorer-0day-cve-2014-1776/
http://thehackernews.com/2014/04/new-zero-day-vulnerability-cve-2014.html
https://krebsonsecurity.com/tag/cve-2014-1776/
Multiple vulnerabilities in Microsoft Word and Office Web Apps
CVE-2014-1761
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when handling RTF-formatted data. A remote attacker can create a specially crafted RTF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Used in Pawn Storm campaign, attacks against government agencies in Taiwan.
Software: Microsoft Office
Known/fameous malware:
Trojans like Dridex or Dyreza and ransomware like cryptolocker or Teslacrypt.
Links:
https://technet.microsoft.com/en-us/library/security/2953095.aspx
https://technet.microsoft.com/en-us/library/security/ms14-017
https://securingtomorrow.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-s...
https://community.hpe.com/t5/Security-Research/Technical-Analysis-of-CVE-2014-1761-RTF-Vulnerability...
https://www.trustwave.com/Resources/SpiderLabs-Blog/Microsoft-Word-RTF-0-Day-(CVE-2014-1761)/
http://stopmalvertising.com/malware-reports/a-closer-look-at-cve-2014-1761.html
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2014/june/extracting-the-payload-fr...
https://blog.cylance.com/infinity-vs-the-real-world-ms-word-vulnerability-cve-2014-1761
https://myonlinesecurity.co.uk/reswift-copy-word-doc-malware-cve-2014-1761-exploit/
https://www.symantec.com/connect/blogs/emerging-threat-microsoft-word-zero-day-cve-2014-1761-remote-...
https://avstrike.wordpress.com/2015/05/05/exploit-cve-2014-1761-gen-removal-guide-2/
http://www.securityweek.com/new-microsoft-word-zero-day-used-targeted-attacks
https://blog.yoocare.com/remove-exploit-cve-2014-1761-gen/
https://www.crowdstrike.com/blog/cve-2014-1761-alley-compromise/
http://arstechnica.com/security/2014/03/zero-day-vulnerability-in-microsoft-word-under-active-attack...
Remote code execution in Microsoft Internet Explorer
CVE-2014-0324
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
On Feb. 11, FireEye researchers identified a zero-day exploit in Internet Explorer 10.
The exploit was being used in Operation SnowMan that compromised the U.S. Veterans of Foreign Wars website.
Software: Microsoft Internet Explorer
Known/fameous malware:
Elderwood exploit kit.
The exploit was being used in Operation SnowMan that compromised the U.S. Veterans of Foreign Wars website.
Links:
https://technet.microsoft.com/en-us/library/security/ms14-012.aspx
https://www.symantec.com/security_response/vulnerability.jsp?bid=66040
http://researchcenter.paloaltonetworks.com/2014/07/beginning-end-use-free-exploitation/
http://www.computerworld.com/article/2489451/malware-vulnerabilities/-elderwood--hackers-still-setti...
http://www.darkreading.com/researchers-recent-zero-day-attacks-linked-via-common-exploit-package/d/d...
https://ae.norton.com/security_response/print_writeup.jsp?docid=2014-031311-2821-99
https://hackermedicine.com/how-the-elderwood-platform-is-fueling-2014s-zero-day-attacks/
http://104.239.158.70/elderwood-attack-platform-linked-multiple-internet-explorer-zero-day-attacks-s...
http://www.cio.com/article/2376236/security0/-elderwood--hackers-continue-to-set-pace-for-zero-day-e...
https://www.symantec.com/connect/blogs/attackers-targeting-other-ie-zero-day-vulnerability-covered-m...
https://www.symantec.com/connect/blogs/operation-backdoor-cut-targeted-basketball-community-ie-zero-...
Remote code execution in Microsoft Internet Explorer
CVE-2014-0307
тАЬUse-after-freeтАЭ error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free when accessing an object in memory. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The flaw was most likely introduced in August 2013. The vulnerability was reported to vendor - 2014-02-04.
Private fully functional exploit code existed long before the vendor released security patch. We consider this vulnerability a zero-day.
Software: Microsoft Internet Explorer
Known/fameous malware:
JS/Exploit.CVE-2014-0307.
Private fully functional exploit code existed long before the vendor released security patch. We consider this vulnerability a zero-day.
Links:
https://technet.microsoft.com/library/security/ms14-012
https://www.symantec.com/security_response/vulnerability.jsp?bid=66032
http://ec2-75-101-158-109.compute-1.amazonaws.com/news/stories/33351-microsoft-internet-explorer-mem...
http://www.csoonline.com/article/2888040/cyber-attacks-espionage/the-top-software-exploit-of-2014-th...
http://www.techcentral.ie/top-exploit-2014-stuxnet-2010/
https://github.com/CCrashBandicot/helpful/blob/master/CVE-2014-0307.rb
Remote code execution in Microsoft Internet Explorer
CVE-2014-0322
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error related to GIFAS. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
A zero-day exploit hosted on a breached website based in the U.S Military. The vulnerability was used in the wild as part of "Operation SnowMan".
Software: Microsoft Internet Explorer
Known/fameous malware:
Trojan.Malscript
Trojan.Swifi.
Backdoor.Moudoor
Elderwood exploit kit.
Links:
https://technet.microsoft.com/library/security/2934088
https://www.fireeye.com/blog/threat-research/2014/02/new-ie-zero-day-found-in-watering-hole-attack-2...
http://securityaffairs.co/wordpress/25002/hacking/elderwood-platform-still-active.html
https://technet.microsoft.com/en-us/library/security/ms14-012.aspx
https://www.symantec.com/connect/blogs/emerging-threat-ms-ie-10-zero-day-cve-2014-0322-use-after-fre...
https://labs.bromium.com/2014/02/25/dissecting-the-newest-ie10-0-day-exploit-cve-2014-0322/
http://thehackernews.com/2014/02/cve-2014-0322-internet-explorer-zero.html
https://blogs.forcepoint.com/security-labs/cyber-criminals-expand-use-cve-2014-0322-patch-tuesday
http://securityaffairs.co/wordpress/22224/cyber-crime/fireeye-watering-hole-attack.html
http://www.zdnet.com/article/new-internet-explorer-10-zero-day-exploit-targets-u-s-military/
http://www.eweek.com/blogs/security-watch/microsoft-ie-zero-day-exploited-in-the-wild.html
http://54.204.81.18/news/stories/269204-cyber-criminals-expand-use-of-cve-2014-0322-before-patch-tue...
Multiple vulnerabilities in Microsoft .NET Framework
CVE-2014-0295
ASLR bypass
The vulnerability allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to missing Address Space Layout Randomization (ASLR) features in certain components. A remote attacker can create a specially crafted Web site, trick the victim into opening it, bypass security restrictions and execute another attack.
Successful exploitation of the vulnerability results in security bypass on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft .NET Framework
Information disclosure in Microsoft XML Core Services
CVE-2014-0266
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to improper enforcement of cross-domain policies. A remote attacker can create a specially crafted Web page, trick the victim into visiting it using Internet Explorer, bypass cross-domain security restrictions and read local files or content from web domains the victim is authenticated with.
Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.
Note: the vulnerability was being actively exploited.
Microsoft and FireEye first discussed this issue in November, 2013.
Software: Microsoft XML Core Services
ASLR bypass in Microsoft Office
CVE-2013-5057
ASLR bypass
The vulnerability allows a remote attacker to bypass certain security restrictions.The weakness exists due to improper implementation of Address Space Layout Randomization (ASLR) within HXDS Office shared component. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and bypass the ASLR security feature.
Successful exploitation of the vulnerability may result in attacker's access to the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft Office
Signature validation bypass in Microsoft Windows
CVE-2013-3900
Sugnature verification bypass
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to improper validation of PE file digests during Authenticode signature verification within WinVerifyTrust function. A remote attacker can create specially crafted signed PE file, trick the victim into executing it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Windows
Links:
https://blogs.technet.microsoft.com/srd/2013/12/10/ms13-098-update-to-enhance-the-security-of-authen...
https://technet.microsoft.com/en-us/library/security/ms13-098.aspx
https://www.symantec.com/security_response/vulnerability.jsp?bid=64079
http://blog.talosintel.com/2013/12/microsoft-update-tuesday-december-2013.html
http://blog.trendmicro.com/trendlabs-security-intelligence/december-patch-tuesday-addresses-tiff-vul...
http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html
https://www.corero.com/resources/files/security_advisories/advisory_CNS_IPS_Microsoft_nVerifyTrust_C...
https://www.symantec.com/connect/blogs/microsoft-patch-tuesday-december-2013
https://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000559.aspx
Information disclosure in Microsoft Office
CVE-2013-5054
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to an error in handling of a specially crafted response when opening a malicious Office file. A remote attacker can create a specially crafted file using, host it on remote website, trick the victim into opening it and gain access to tokens used to authenticate the current user on a targeted SharePoint or other Microsoft Office server site.
Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was discovered by the Adallom company and the attack was dubbed "Ice Dagger". The attackers used the vulnerability to steal Microsoft Office 365 authentication token. The victim of the unnamed company received an email with a link to attachment, located on a hidden server within TOR network. The vulnerability was reported to Microsoft in late May 2013.
Software: Microsoft Office
Links:
https://technet.microsoft.com/en-us/library/security/ms13-104.aspx
https://www.symantec.com/security_response/vulnerability.jsp?bid=64092
http://blog.talosintel.com/2013/12/microsoft-update-tuesday-december-2013.html
https://www.scmagazine.com/patch-tuesday-update-addresses-24-bugs-including-exploited-tiff-zero-day/...
http://news.softpedia.com/news/Newly-Patched-Office-365-Vulnerability-Used-in-Ice-Dagger-Targeted-At...
http://it.toolbox.com/blogs/securitymonkey/flaw-in-microsoft-office-365-allows-perfect-crime-58421
Privilege escalation in Microsoft Windows
CVE-2013-5065
Privilege escalation
The vulnerability allows a local attacker to obtain elevated privileges on the target system.The weakness exists due to improper validation of input by the NDProxy.sys kernel component. A local attacker with valid login credentials can use a malicious application to gain kernel privileges and execute arbitrary code on the system.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Windows bug (CVE-2013-5065) was exploited in conjunction with a patched Adobe Reader bug (CVE-2013-3346) to evade the Reader sandbox.
Kaspersky Lab revealed the vulnerability was used in Epic Turla (cyber-espionage campaigns).
Software: Windows
Known/fameous malware:
PDF:Exploit.CVE-2013-5065.A
Gen:Trojan.Heur.FU.ku3@aSHWAmji
Kaspersky Lab revealed the vulnerability was used in Epic Turla (cyber-espionage campaigns).
Links:
https://www.fireeye.com/blog/threat-research/2013/12/cve-2013-33465065-technical-analysis.html
https://www.fireeye.com/blog/threat-research/2013/11/ms-windows-local-privilege-escalation-zero-day-...
https://technet.microsoft.com/en-us/library/security/2914486.aspx
https://blogs.technet.microsoft.com/msrc/2013/11/27/microsoft-releases-security-advisory-2914486/
https://www.offensive-security.com/vulndev/ndproxy-local-system-exploit-cve-2013-5065/
https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Kernel-is-calling-a-zero(day)-pointer-%E2%80...
https://penturalabs.wordpress.com/2013/12/11/ndproxy-privilege-escalation-cve-2013-5065/
http://securityaffairs.co/wordpress/20092/hacking/windows-xp-zero-day.html
https://labs.portcullis.co.uk/blog/cve-2013-5065-ndproxy-array-indexing-error-unpatched-vulnerabilit...
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attac...
https://www.scmagazine.com/windows-xp-zero-day-under-active-attack/article/543166/
https://www.fireeye.jp/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-zero-day-attacks-in...
https://securingtomorrow.mcafee.com/mcafee-labs/product-coverage-and-mitigation-for-cve-2013-5065/
Remote code execution in Microsoft Windows
CVE-2013-3918
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to out-of-bounds memory access within InformationCardSigninHelper Class ActiveX control (icardie.dll). A remote attacker can create specially crafted Web page that passes an overly long string argument to vulnerable ActiveX component, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerabilty was introduced on 07.27.2005, but publically disclosed later by Xiaobo Chen and Dan Caselden of FireEye.
The vulnerability has been exploited by the APTgroup behind the 2009 Aurora attack. The exploit uses a technique ROP (return-oriented-programming). According to FireEye, the attack has a link to the infrastructure used in Operation DeputyDog and Operation Ephemeral Hydra, which began in August and targeted organizations in Japan.
Software: InformationCardSigninHelper Class ActiveX control
The vulnerability has been exploited by the APTgroup behind the 2009 Aurora attack. The exploit uses a technique ROP (return-oriented-programming). According to FireEye, the attack has a link to the infrastructure used in Operation DeputyDog and Operation Ephemeral Hydra, which began in August and targeted organizations in Japan.
Links:
https://technet.microsoft.com/en-us/library/security/ms13-090.aspx
https://www.fireeye.com/blog/threat-research/2013/11/new-ie-zero-day-found-in-watering-hole-attack.h...
https://blogs.technet.microsoft.com/msrc/2013/11/11/activex-control-issue-being-addressed-in-update-...
https://blogs.technet.microsoft.com/srd/2013/11/12/technical-details-of-the-targeted-attack-using-ie...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27146
http://eromang.zataz.com/2015/12/23/cve-2013-3918-cardspaceclaimcollection-activex-integer-underflow...
http://www.darkreading.com/new-ie-vulnerability-found-in-the-wild-sophisticated-web-exploit-follows/...?
http://www.securityweek.com/microsoft-patches-vulnerability-attackers-used-target-ie-users
https://blog.threattrack.com/a-look-inside-a-cve-2013-3918-exploit/
https://www.fireeye.jp/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-zero-day-attacks-in...
http://www.zdnet.com/article/ie-zero-day-used-by-cyber-arms-dealers-and-chinese-hackers/
https://support.ixiacom.com/about-us/news-events/corporate-blog/completing-deputydog-apt
http://www.darkreading.com/vulnerabilities---threats/fireeye-releases-2013-lab-performance-stats/d/d...
Remote code execution in Microsoft Graphics Component
CVE-2013-3906
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when handling malicious images. A remote attacker can create specially crafted TIFF image file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The meta date of the files were set to October 17, 2013, which may suggest a creation time of this exploit.
Attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan. The attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia.
Software: Microsoft Office
Attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan. The attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia.
Links:
https://technet.microsoft.com/en-us/library/security/2896666.aspx
https://technet.microsoft.com/en-us/library/security/ms13-096
https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-micro...
https://securingtomorrow.mcafee.com/business/security-connected/updates-and-mitigation-to-cve-2013-3...
https://blogs.technet.microsoft.com/srd/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-...
https://www.fireeye.com/blog/threat-research/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both...
https://www.crowdstrike.com/blog/analysis-cve-2013-3906-exploit/
http://www.primalsecurity.net/analysis-of-malicious-document-using-cve-2013-3906/
http://blog.trendmicro.com/trendlabs-security-intelligence/how-to-avoid-the-latest-microsoft-office-...
http://securityaffairs.co/wordpress/19460/hacking/microsoft-cve-2013-3906-zero-day.html
https://www.symantec.com/connect/forums/if-sep-daily-definition-covers-exploit-cve-2013-3906
Remote code execution in Microsoft Internet Explorer
CVE-2013-3897
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to user-after-free vulnerability in the CDisplayPointer object. A remote attacker can create a specially crafted Web page containing, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Used in Pawn Storm campaign.
A zero-day was used in highly targeted, low-volume attacks in Korea,
Hong Kong, and the United States, as early as September 18th, 2013.
Software: Microsoft Internet Explorer
A zero-day was used in highly targeted, low-volume attacks in Korea, Hong Kong, and the United States, as early as September 18th, 2013.
Links:
https://technet.microsoft.com/en-us/library/security/ms13-080.aspx
https://blogs.technet.microsoft.com/srd/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limi... https://technet.microsoft.com/library/security/ms13-080 http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-pawn-storm-fast-facts
https://blogs.forcepoint.com/security-labs/zero-day-attack-internet-explorer-cve-2013-3897-goes-high...
http://blog.talosintel.com/2013/10/ie-zero-day-cve-2013-3897-youve-been.html
https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=607
https://www.symantec.com/security_response/vulnerability.jsp?bid=62811
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27102
https://media.paloaltonetworks.com/lp/endpoint-security/blog/cve-2013-3897-analysis-of-yet-another-i...
http://eromang.zataz.com/2015/12/23/cve-2013-3897-microsoft-internet-explorer-cdisplaypointer-use-af...
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/BROWSER/MS13_080_CDISPLAYPOINTER
https://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-targeted-attacks-against-korea...
http://www.benhayak.com/2013_11_01_archive.html
https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Technical-Aspects-of-Exploiting-IE-Zero-Day-...
https://krebsonsecurity.com/2013/10/adobe-microsoft-push-critical-security-fixes-3/#more-23010
Remote code execution in Microsoft Internet Explorer
CVE-2013-3893
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error in SetMouseCapture implementation. A remote attacker can create specially crafted JavaScript, place it on a Web page, trick the victim into visiting it using Internet Explorer, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability used ROP-chain technique and was exploited in Campaign Operation DeputyDog.
The vulnerability was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well.
Software: Microsoft Internet Explorer
The vulnerability was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well.
Links:
https://technet.microsoft.com/en-us/library/security/2887505
https://technet.microsoft.com/en-us/library/security/ms13-080
https://blogs.technet.microsoft.com/srd/2013/09/17/cve-2013-3893-fix-it-workaround-available/
https://blogs.technet.microsoft.com/srd/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limi...
https://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/
https://nakedsecurity.sophos.com/2013/10/25/anatomy-of-an-exploit-inside-the-cve-2013-3893-internet-...
https://www.f-secure.com/en/web/labs_global/cve-2013-3893
https://community.rapid7.com/community/metasploit/blog/2013/09/30/metasploit-releases-cve-2013-3893-...
https://www.symantec.com/security_response/vulnerability.jsp?bid=62453
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=70073
http://eromang.zataz.com/2015/12/22/cve-2013-3893-microsoft-internet-explorer-setmousecapture-uaf/
https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-part-2-zero-day-exploit-ana...
https://sgros-students.blogspot.com/2014/01/exploiting-and-analysing-cve-2013-3893.html
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/product-coverage-and-mitigation...
https://securityintelligence.com/trusteers-exploit-prevention-stops-attacks-targeting-new-ie-zero-da...
https://media.paloaltonetworks.com/lp/endpoint-security/blog/cve-2013-3893-analysis-of-the-new-ie-0-...
http://tipstrickshack.blogspot.com/2013/10/exploit-for-all-ie-versioncve-2013-3893.html
Remote code execution in Microsoft Internet Explorer
CVE-2013-3163
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error in CBlockContainerBlock. A remote attacker can create specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability reffers to "Waterring hole attack".
Software: Microsoft Internet Explorer
Links:
https://h41382.www4.hpe.com/gfs-shared/downloads-226.pdf
https://technet.microsoft.com/en-us/library/security/ms13-055.aspx
https://www.fireeye.com/blog/threat-research/2013/10/aslr-bypass-apocalypse-in-lately-zero-day-explo...
https://www.symantec.com/security_response/vulnerability.jsp?bid=60975
http://www.zdnet.com/article/microsoft-admits-internet-explorer-flaw-targeted-by-hackers/
https://securingtomorrow.mcafee.com/mcafee-labs/new-zero-day-attack-copies-earlier-flash-exploitatio...
http://www.computerworld.com/article/2483926/microsoft-windows/targeted-attacks-exploit-now-patched-...
https://media.paloaltonetworks.com/lp/endpoint-security/blog/cve-2013-3163-internet-explorer-vulnera...
https://blogs.technet.microsoft.com/srd/2013/07/10/running-in-the-wild-not-for-so-long/
Remote code execution in Microsoft Office
CVE-2013-1331
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow when processing malicious PNG files. A remote attacker can create specially crafted file, trick the victim into opening it using an affected version of Microsoft Office, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was reported by Andrew Lyons and Neel Mehta of Google Inc.
Using the samples provided by Microsoft, Romang scoured GoogleтАЩs cache and found the earliest document that attempted to fetch the exploit dated from February, 2013. The document referenced territory disputes between China and the Philippines.
However, Romang uncovered another Word document created in 2009 that, according to GoogleтАЩs Virus Total service, would also exploit the flaw Microsoft patched. The fileтАЩs title тАЬThe corruption of MahathirтАЭ referred to a Malaysian politician, fitting MicrosoftтАЩs list of possible targets. Both documents to a Bridging Links URL.
The vulnerability might have been spotted in the wild, with campaigns starting as early as 2009. Microsoft believe attacks were limited to Indonesia and Malaysia.
Software: Microsoft Office
Known/fameous malware:
Trojan.Mdropper.
Using the samples provided by Microsoft, Romang scoured GoogleтАЩs cache and found the earliest document that attempted to fetch the exploit dated from February, 2013. The document referenced territory disputes between China and the Philippines.
However, Romang uncovered another Word document created in 2009 that, according to GoogleтАЩs Virus Total service, would also exploit the flaw Microsoft patched. The fileтАЩs title тАЬThe corruption of MahathirтАЭ referred to a Malaysian politician, fitting MicrosoftтАЩs list of possible targets. Both documents to a Bridging Links URL.
The vulnerability might have been spotted in the wild, with campaigns starting as early as 2009. Microsoft believe attacks were limited to Indonesia and Malaysia.
Links:
https://technet.microsoft.com/en-us/library/security/ms13-051.aspx
https://www.symantec.com/security_response/vulnerability.jsp?bid=60408
https://www.symantec.com/connect/blogs/microsoft-office-cve-2013-1331-coverage
https://media.paloaltonetworks.com/lp/endpoint-security/blog/cve-2013-1331-a-zero-day-disclosed.html
http://eromang.zataz.com/2013/06/13/ms13-051-cve-2013-1331-what-we-know-about-microsoft-office-zero-...
https://threatpost.com/important-office-2003-zero-day-deserves-second-look/100990/
https://blogs.technet.microsoft.com/srd/2013/06/11/ms13-051-get-out-of-my-office/
http://dataprotectioncenter.com/general/microsoft-office-cve-2013-1331-coverage/
http://blog.trendmicro.com/trendlabs-security-intelligence/light-june-2013-patch-tuesday-is-no-reaso...
Privilege escalation in Microsoft Windows
CVE-2013-3660
Privilege escalation
The vulnerability allows a local attacker to obtain elevated privileges on the target system.The weakness exists due to the failure to properly initialize a pointer for the next object in a certain list by the EPATHOBJ::pprFlattenRec function within kernel-mode driver (win32k.sys). A local attacker can use multiple FlattenPath function calls to obtain write access to the PATHRECORD chain and execute arbitrary code on the system with elevated privileges.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Tavis Ormandy, a Google security engineer, reported a critical bug to Microsoft only five days before going public.
The vulnerability has being used by Carbanak group.
Software: Windows
Known/fameous malware:
Cidox/Rovnix Bootkit
PowerLoader
The vulnerability has being used by Carbanak group.
Remote code execution in Microsoft Internet Explorer
CVE-2013-1347
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error in the CGenericElement object. A remote attacker can create specially crafted Web page, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability has been exploited in watering hole attack against Department of Labor (DoL). Used in Pawn Storm campaign.
Software: Microsoft Internet Explorer
Links:
https://www.fireeye.com/blog/threat-research/2013/05/ie-zero-day-is-used-in-dol-watering-hole-attack...
https://technet.microsoft.com/en-us/library/security/2847140.aspx
https://technet.microsoft.com/en-us/library/security/ms13-may.aspx
https://technet.microsoft.com/en-us/library/security/ms13-038
https://nakedsecurity.sophos.com/2013/05/09/microsoft-rushes-out-cve-2013-1347-fix-it-for-the-latest...
https://securityintelligence.com/cve-2013-1347-microsoft-internet-explorer-cgenericelement-object-us...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26721
http://stopmalvertising.com/malware-reports/cve-2013-1347-new-internet-explorer-8-0-day-used-in-wate...
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF
https://krebsonsecurity.com/2013/05/zero-day-exploit-published-for-ie8/
https://blogs.forcepoint.com/security-labs/internet-explorer-zero-day-vulnerability-cve-2013-1347-up...
https://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000479.aspx
https://blog.qualys.com/laws-of-vulnerabilities/2013/05/04/new-0-day-in-microsoft-internet-explorer-...
https://www.threatconnect.com/blog/threatconnect-gets-root-targeted-exploitation-campaigns/
Cross-site scripting in Microsoft SharePoint Server
CVE-2013-1289
Cross-site scripting
The vulnerability allows a remote attacker to obtain elevated privileges on the target system.The weakness exists due to an error related to the way HTML strings are sanitized by HTML Sanitization components. A remote attacker can create a specially crafted URL, trick the victim into opening it, take actions on the targeted site or read restricted content and obtain sensitive information with elevated privileges.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft SharePoint Server
Remote code execution in Microsoft Silverlight
CVE-2013-0074
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when rendering an HTML object. A remote attacker can create a specially crafted Web site containing a malicious Silverlight applicationt, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft Silverlight
Known/fameous malware:
Exploit kits: Angler, Archie, Astrum, Fiesta, Hanjuan, Infinity (Exploit kit), Neutrino, Nuclear Pack, RIG.
Links:
https://technet.microsoft.com/en-us/library/security/ms13-022.aspx
https://www.zscaler.com/blogs/research/exploit-kits-anatomy-silverlight-exploit
https://www.checkpoint.com/downloads/partners/TCC-Silverlight-Jan2015.pdf
https://www.symantec.com/security_response/vulnerability.jsp?bid=58327
http://journeyintoir.blogspot.com/2014/05/cve-2013-0074-3896-silverlight-exploit.html
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27612
http://www.vxsecurity.sg/2014/06/18/technical-tear-down-fiesta-exploit-kit-silverlight-exploit-cve-2...
http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-a-silverlight-exploit/
https://blog.malwarebytes.com/threat-analysis/2014/05/malvertising-campaign-on-popular-site-leads-to...
http://blogs.cisco.com/security/angling-for-silverlight-exploits
https://www.scmagazine.com/more-exploits-including-silverlight-attack-packed-in-nuclear-kit/article/...
http://arstechnica.com/security/2014/05/move-over-java-drive-by-attacks-exploiting-microsoft-silverl...
Remote code execution in Microsoft Internet Explorer
CVE-2012-4792
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error when handling the CDwnBindInfo object and attempting to access an object in memory that has not been initialized or has been deleted. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
This vulnerability was described by Eric Romang and FireEye through Malware Protection Cloud.
The vulnerability has been exploited in watering hole attacks against Council on Foreign Relations (CFR) website 26.12.2012. The attack appears to be closely related to attacks in June 2012 that were targeting visitors of a major hotel chain and other attacks associated with the Elderwood Project.
Software: Microsoft Internet Explorer
The vulnerability has been exploited in watering hole attacks against Council on Foreign Relations (CFR) website 26.12.2012. The attack appears to be closely related to attacks in June 2012 that were targeting visitors of a major hotel chain and other attacks associated with the Elderwood Project.
Links:
https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-det...
https://technet.microsoft.com/library/security/ms13-008
https://technet.microsoft.com/library/security/2794220
http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-...
https://blogs.technet.microsoft.com/srd/2012/12/31/microsoft-fix-it-available-for-internet-explorer-...
https://blogs.technet.microsoft.com/srd/2012/12/29/new-vulnerability-affecting-internet-explorer-8-u...
https://www.alienvault.com/blogs/labs-research/new-internet-explorer-zeroday-was-used-in-the-dol-wat...
http://blog.exodusintel.com/2013/01/04/bypassing-microsofts-internet-explorer-0day-fix-it-patch-for-...
https://nakedsecurity.sophos.com/2012/12/31/zero-day-vulnerability-in-internet-explorer-being-used-i...
XSS in HTML Sanitization Component in Microsoft Office products
CVE-2012-2520
Cross-site scripting
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks and gain elevated privileges.The vulnerability exists due to insufficient sanitization of user-input within HTML Sanitization Component. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in userтАЩs browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: the vulnerability was being actively exploited.
Software: Microsoft Office InfoPath
Links:
https://technet.microsoft.com/en-us/library/security/ms12-066.aspx
http://www.mcafee.com/us/resources/release-notes/foundstone/fsl_10_10_2012.pdf
http://www.securityweek.com/recently-patched-html-sanitization-flaw-linked-hotmail-xss-vulnerability
http://www.trendmicro.com.ru/vinfo/ru/threat-encyclopedia/vulnerability/2293/microsoft-windows-html-...
http://www.tripwire.com/vert/vert-alert/vert-alert-october-9-2012/
https://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000380.aspx
Remote code execution in Microsoft Internet Explorer
CVE-2012-4969
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error in the CMshtmlEd::Exec function in mshtml.dll. A remote attacker can create a specially crafted Web site, trick the victim into viewing it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was found exploited in the wild and discovered by Eric Romang.
A real-world attack using the vulnerability first appeared in a blog post in Sep.14, 2012. The vulnerability was used by "Nitro" hacking group.
Software: Microsoft Internet Explorer
A real-world attack using the vulnerability first appeared in a blog post in Sep.14, 2012. The vulnerability was used by "Nitro" hacking group.
Links:
https://technet.microsoft.com/library/security/2757760
https://technet.microsoft.com/en-us/library/security/ms12-063
https://blogs.technet.microsoft.com/mmpc/2012/09/21/what-you-need-to-know-about-cve-2012-4969/
http://www.sevenforums.com/system-security/260613-should-i-remove-cve-2012-4969-a.html
http://krebsonsecurity.com/tag/cve-2012-4969/
https://www.f-secure.com/en/web/labs_global/cve-2012-4969
https://barracudalabs.com/2012/09/internet-explorer-0day-exploit-cve20124969-its-what-you-cant-see-t...
http://security.stackexchange.com/questions/21237/need-help-on-understanding-obfuscated-code-in-cve-...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25947
http://contagiodump.blogspot.com/2012/09/cve-2012-4969-internet-explorer-0day.html
http://www.antiy.net/p/sample-of-cve-2012-4969/
https://www.securestate.com/blog/2012/09/21/threat-alert-internet-explorer-zero-day-cve-2012-4969
https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2012-4969-and-the-Unnamed-Admin-Panel/
Remote code execution in Windows Common Controls
CVE-2012-1856
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in MSCOMCTL.OCX ActiveX control. A remote attacker can create a specially crafted Web page that passes an overly long string argument, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Favorite hackers' vulnerability for years has been exploited along with CVE-2012-1856, CVE-2015-1641, CVE-2015-1770 in an APT campaign against journalists and human rights workers in Tibet, Hong Kong and Taiwan.
Software: Microsoft Office
Links:
https://technet.microsoft.com/en-us/library/security/ms12-060
https://blog.ropchain.com/2015/07/27/analyzing-vupens-cve-2012-1856/
http://www.securityweek.com/cve-2012-0158-exploited-attacks-targeting-government-agencies-europe-asi...
http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-rat-uwarrior/
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25966
https://securelist.com/analysis/publications/37158/the-curious-case-of-a-cve-2012-0158-exploit/
https://threatpost.com/apt-targeting-tibetans-packs-four-vulnerabilities-in-one-compromise/117493/
https://www.hackread.com/skype-malware-saves-screenshots-records-conversations/
https://www.grahamcluley.com/advanced-malware-logs-skype-calls-steals-files-removable-drives/
https://securingtomorrow.mcafee.com/mcafee-labs/threat-actors-use-encrypted-office-binary-format-eva...
https://www.symantec.com/security_response/vulnerability.jsp?bid=54948
https://blogs.technet.microsoft.com/srd/2012/08/14/ms12-060-addressing-a-vulnerability-in-mscomctl-o...
http://varzia.com/blog/keyboy-malware-used-in-targeted-attacks-in-asia/
Remote code execution in Microsoft Office
CVE-2012-1854
Untrusted Search Path
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability exists due to the way Microsoft Office loads .dll libraries when opening Office documents (such as a .docx file). A remote attacker can place a specially crafted .dll file along with Microsoft Office document on a remote SMB or WebDAV share, trick the victim into opening that document and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was being actively exploited since mid-March, 2012. The targeted attacks were focusing on Japanese organizations.
Software: Microsoft Office
Links:
https://technet.microsoft.com/library/security/ms12-046
https://www.symantec.com/connect/blogs/microsoft-patch-tuesday-july-2012
https://www.trustwave.com/Resources/SpiderLabs-Blog/Microsoft-Patch-Tuesday-July-2012-%E2%80%93-TLS-...
https://www.symantec.com/connect/blogs/targeted-attacks-exploit-vba-vulnerability-july-ms-tuesday
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2012-1875
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to a use-after-free error related to same id property when attempting to access objects that have been deleted. A remote attacker can create a specially crafted Web site, trick the victim into viewing it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
A functional exploit with shellcode appeared on PasteBin on 8.06.12 - four days before the Microsoft patch release.
The vulnerability was reported by adept with nickname Dark Son and researcher Yichong Lin.
Software: Microsoft Internet Explorer
Known/fameous malware:
Trojan.Naid.
The vulnerability was reported by adept with nickname Dark Son and researcher Yichong Lin.
Links:
https://technet.microsoft.com/en-us/library/security/ms12-037
https://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html
https://www.symantec.com/connect/blogs/cve-2012-1875-exploited-wild-part-1-trojannaid
https://www.alienvault.com/blogs/labs-research/ongoing-attacks-exploiting-cve-2012-1875
https://threatpost.com/exploit-code-surfaces-cve-2012-1875-internet-explorer-bug-061812/76702/
http://breakthesecurity.cysecurity.org/2012/06/cve-2012-1875-hacking-windows-using-ms12-037-internet...
http://www.ehackingnews.com/2012/06/cve-2012-1875-exploit-for-remote-code.html
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/BROWSER/MS12_037_SAME_ID
http://eromang.zataz.com/2012/06/13/ms12-037-internet-explorer-same-id-vulnerability-metasploit-demo...
http://www.cio.com/article/2394927/security0/attack-code-published-for-two-actively-exploited-vulner...
http://www.infosecisland.com/blogview/21670-Symantec-Internet-Explorer-Zero-Day-Exploit-in-the-Wild....
Remote code execution in Microsoft XML Core Services
CVE-2012-1889
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in XML Core Services (MSXML) when attempting to access an object in memory that has not been initialized. A remote attacker can create a specially crafted Web site, trick the victim into viewing it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
One of the vulnerabilities used by Aurora group.
The attackers used the CVE-2010-2884 and CVE-2012-1889 0-day exploits to specifically target visitors to Amnesty International Hong Kong site
20.06.2012 SophosLabs determined that the website of a European aeronautical parts supplier had been hacked and delivered exploit for CVE-2012-1889.
TrendMicro observed the vulnerability targeting Chinese high school webpage.
Software: Microsoft XML Core Services
The attackers used the CVE-2010-2884 and CVE-2012-1889 0-day exploits to specifically target visitors to Amnesty International Hong Kong site
20.06.2012 SophosLabs determined that the website of a European aeronautical parts supplier had been hacked and delivered exploit for CVE-2012-1889.
TrendMicro observed the vulnerability targeting Chinese high school webpage.
Links:
https://technet.microsoft.com/library/security/2719615
https://technet.microsoft.com/library/security/ms12-043
https://nakedsecurity.sophos.com/2012/06/20/aeronautical-state-sponsored-exploit/
https://www.symantec.com/connect/blogs/cve-2012-1889-action
http://blog.trendmicro.com/trendlabs-security-intelligence/technical-analysis-of-cve-2012-1889-explo...
http://blog.trendmicro.com/trendlabs-security-intelligence/technical-analysis-of-cve-2012-1889-explo...
http://blog.trendmicro.com/trendlabs-security-intelligence/technical-analysis-of-cve-2012-1889-explo...
http://www.welivesecurity.com/2012/06/20/cve2012-1889-msxml-use-after-free-vulnerability/
https://www.experts-exchange.com/questions/27793137/After-Friday's-Rounds-of-Patches-from-Microsoft-...
http://contagiodump.blogspot.com/2012/07/brian-mariani-high-tech-bridge-htbridge.html
http://www.darknet.org.uk/2012/06/windows-xml-core-services-exploit-attacked-in-the-wild-cve-2012-18...
http://www.infoworld.com/article/2617287/malware/widely-used-web-attack-toolkit-exploits-unpatched-m...
https://nakedsecurity.sophos.com/2012/06/29/zero-day-xml-core-services-vulnerability-included-in-bla...
https://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000352.aspx
https://nakedsecurity.sophos.com/2012/06/29/zero-day-xml-core-services-vulnerability-included-in-bla...
http://thehackernews.com/2012/09/operation-aurora-other-zero-day-attacks.html
Remote code execution in MSCOMCTL.OCX ActiveX control in Microsoft Office
CVE-2012-0158
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to stack-based buffer overflow in MSCOMCTL.OCX ActiveX control. A remote attacker can create a specially crafted Web page that passes an overly long string argument, trick the victim into viewing it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Researchers based in Asia noticed these malicious documents in Japan and Taiwan before they started showing up/targeting USA companies.
The vulnerability appeared to operate in 2014 in the Western Australian time zone. Examples of such groups include the 'Shiqiang Gang' (as reported by McAfee), 'PLEAD' (as reported by Trend Micro), 'NetTraveler' (as reported by Kaspersky) and 'APT12' (as reported by FireEye).
The vulnerability has been exploited in Red October attacks in 2012 and attacks targeting Chinese media organizations, personnel at government agencies in Europe, Middle East and Central Asia in 2013. The exploit was successfully used in breach attack against NewYork Times in August of 2013. The vulnerability was still exploited in 2016. Exploit for this vulnerability was used in Pawn Storm campaign as well.
Software: Microsoft Office
Known/fameous malware:
TROJ_DROPPER.IK
BKDR_HGDER.IK.
The vulnerability appeared to operate in 2014 in the Western Australian time zone. Examples of such groups include the 'Shiqiang Gang' (as reported by McAfee), 'PLEAD' (as reported by Trend Micro), 'NetTraveler' (as reported by Kaspersky) and 'APT12' (as reported by FireEye).
The vulnerability has been exploited in Red October attacks in 2012 and attacks targeting Chinese media organizations, personnel at government agencies in Europe, Middle East and Central Asia in 2013. The exploit was successfully used in breach attack against NewYork Times in August of 2013. The vulnerability was still exploited in 2016. Exploit for this vulnerability was used in Pawn Storm campaign as well.
Links:
https://technet.microsoft.com/library/security/ms12-027
https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/CVE-2012-0158-An-Anatomy-of-a-Prol...
https://securingtomorrow.mcafee.com/mcafee-labs/cve-2012-0158-exploit-in-the-wild/
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2012-0158-exploitation-seen-in-variou...
https://sentinelone.com/item-news/cve-2012-0158-allocated-2011-patched-2012-still-actively-exploited...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25656
https://www.virusbulletin.com/blog/2014/10/cve-2012-0158-continues-be-used-targeted-attacks/
https://www.alienvault.com/blogs/security-essentials/cmstar-apt-malware-cve-2012-0158
http://contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html
http://blog.9bplus.com/same-cve-2012-0158-different-builder/
http://blog.malwaretracker.com/2013/08/cve-2012-0158-exploit-evades-av-in-mime.html
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2012-0158-now-being-used-in-more-tibe...
https://securelist.com/analysis/publications/37158/the-curious-case-of-a-cve-2012-0158-exploit/
https://blogs.sophos.com/2016/07/01/the-word-bug-that-just-wont-die-cve-2012-0158-the-cybercrime-gif...
Remote code execution in Microsoft Windows
CVE-2011-3402
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers. A remote attacker can create a specially crafted Word document or web page containing font data, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
This vulnerability was being actively exploited by the Stuxnet in Duqu attack.
Software: Windows
Known/fameous malware:
Win32/Exploit.CVE-2011-3402.G
W32.Duqu
Links:
https://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25272
https://media.ccc.de/v/29c3-5417-en-cve_2011_3402_analysis_h264
https://securelist.com/blog/incidents/31445/the-mystery-of-duqu-part-two-23/
https://securingtomorrow.mcafee.com/mcafee-labs/the-day-of-the-golden-jackal-%e2%80%93-further-tales...
https://technet.microsoft.com/library/security/2639658
https://technet.microsoft.com/library/security/ms11-087
https://blogs.technet.microsoft.com/msrc/2011/11/03/microsoft-releases-security-advisory-2639658/
https://www.f-secure.com/v-descs/exploit_w32_cve_2011_3402_a.shtml
https://krebsonsecurity.com/tag/cve-2011-3402/
http://yomuds.blogspot.com/2012/11/cve-2011-3402-and-cool-exploit-kit_28.html
http://blog.crysys.hu/2013/01/encryption-related-to-duqu-font-expoit-cve-2011-3402/
https://blogs.forcepoint.com/security-labs/cve-2011-3402-vulnerability-truetype-font-parsing
https://www.totaldefense.com/security-blog/tag/cve-2011-3402
Denial of service in Microsoft RDP
CVE-2011-1968
Denial of service
The vulnerability allows a remote attacker to cause DoS conditions on the target system.The weakness exists due to an error in the Remote Desktop Protocol when processing a sequence of malicious packets. A remote attacker can send a specially crafted RDP packets, gain access to an object that was not properly initialized or is deleted and cause the system to stop responding and restart.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Windows
Privilege escalation in Microsoft Windows
CVE-2011-1249
Privilege escalation
The vulnerability allows a local user to gain elevated privileges on the target system.
The vulnerability exists due to improper validation of input passed from user mode to the kernel in the Ancillary Function Driver (afd.sys). By running a malicious application, a local attacker with valid login credentials can execute arbitrary code with system privileges.
Successful exploitation of this vulnerability will allow the local attacker to obtain elevated privileges on vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Windows
Links:
https://technet.microsoft.com/en-us/library/security/ms11-046.aspx
https://www.fireeye.com/blog/threat-research/2014/10/two-targeted-attacks-two-new-zero-days.html
https://www.manageengine.com/products/desktop-central/patch-management/Windows-7-Ultimate-Edition/Wi...
http://www.hackingtutorials.org/exploit-tutorials/mingw-w64-how-to-compile-windows-exploits-on-kali-...
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2011-1255
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error related to time element when Internet Explorer attempts to access objects that have not been correctly initialized or have been deleted. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Note: According to experts from M86, the vulnerability was exploited in targeted attacks before the official patch release from Microsoft.
According to experts from M86, this vulnerability was exploited in targeted attacks before the official patch release from Microsoft.
Software: Microsoft Internet Explorer
Links:
http://news.softpedia.com/news/Recently-Patched-IE-Flaw-Exploited-as-Zero-Day-208646.shtml
http://digcert.com/docs/symantec/symantec_report_2012.htm
http://securityaffairs.co/wordpress/44749/cyber-crime/operation-dust-storm.html
https://technet.microsoft.com/en-us/library/security/ms11-050.aspx
Multiple vulnerabilities in Microsoft Windows
CVE-2012-0181
Improper input validation
The vulnerability allows a local user to obtain elevated privileges on the target system.
The vulnerability exists due to improper managing of Keyboard Layout files by the kernel-mode driver (win32k.sys). A local attacker can execute arbitrary code on vulnerable system with SYSTEM privileges.
Successful exploitation of this vulnerability will allow the local attacker to obtain elevated privileges on vulnerable system.
Note: the vulnerability was being actively exploited.
According to Trustwave this is a zero-day.
A private exploit has been developed by Cr4sh and been published 2 weeks after the advisory.
CVE-2012-0181 fixes an issue alluded to on exploitdb site on Nov. 21, 2011, fixed July 10, 2012.
Software: Windows
A private exploit has been developed by Cr4sh and been published 2 weeks after the advisory.
CVE-2012-0181 fixes an issue alluded to on exploitdb site on Nov. 21, 2011, fixed July 10, 2012.
Links:
https://technet.microsoft.com/en-us/library/security/ms12-034
https://blogs.technet.microsoft.com/srd/2012/05/08/ms12-034-duqu-ten-cves-and-removing-keyboard-layo...
https://www.symantec.com/security_response/vulnerability.jsp?bid=53326
http://www.zdnet.com/article/linux-trailed-windows-in-patching-zero-days-in-2012-report-says/
https://www.trustwave.com/Resources/Library/Documents/2013-Trustwave-Global-Security-Report/?dl=1
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2011-0094
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error when handling layout objects that have not been correctly initialized or have been deleted. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
This vulnerability was reported to iDefense by anonymous. NSS was ready to pay for exploit for this vulnerability $100-500.
The vulnerability was used to compromise Philippines human rights website.
Software: Microsoft Internet Explorer
Known/fameous malware:
Exploit:Win32/CVE-2011-0094.A
The vulnerability was used to compromise Philippines human rights website.
Links:
https://technet.microsoft.com/en-us/library/security/ms11-018.aspx
http://www.verisign.com/en_US/security-services/security-intelligence/vulnerability-reports/articles...
http://krebsonsecurity.com/tag/cve-2011-0094/
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/1971/layouts-handling-memory-co...
http://telussecuritylabs.com/threats/show/TSL20110414-01
https://www.symantec.com/connect/tr/blogs/government-and-human-rights-websites-fall-victim-targeted-...
http://www.infoworld.com/article/2620728/security/nss-labs-offers-reward-money-for-fresh-exploits.ht...
Information disclosure in MHTML in Microsoft Windows
CVE-2011-0096
Cross-site scripting
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.The vulnerability exists due to insufficient sanitization of user-input passed via MIME-formatted requests for content blocks within a document. A remote attacker can trick the victim to follow a specially crafted "MHTML:" link and execute arbitrary HTML and script code in userтАЩs browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
The vulnerability was originally disclosed on the WooYun website.
Software: Windows
Known/fameous malware:
exploit:win32/cve-2011-0096 trojan horse.
Links:
https://technet.microsoft.com/library/security/ms11-026
https://blogs.technet.microsoft.com/srd/2011/01/28/more-information-about-the-mhtml-script-injection...
https://blogs.technet.microsoft.com/msrc/2011/01/28/microsoft-releases-security-advisory-2501696/
http://blog.qisupport.com/exploitwin32cve-2011-0096-trojan-virus-how-to-remove/
https://www.removemalwaretip.com/windows-8/clear-exploitwin32cve-2011-0096-trojan-from-your-windows-...
http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=62646
https://blog.qualys.com/laws-of-vulnerabilities/2011/01/27/microsoft-advisory-on-client-side-xss-250...
https://blogs.forcepoint.com/security-labs/month-threat-webscape-march-2011
Remote code execution in Microsoft Internet Explorer
CVE-2011-1345
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when handling onPropertyChange function calls. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was firstly disclosed by VUPEN in January 22, 2011.
This issue was disclosed as part of the Pwn2Own 2011 contest.
Using this vulnerability Irish security researcher Stephen Fewer successfully hacked into a 64-bit Windows 7 (SP1) running Internet Explorer 8 to win CanSecWest hacker challenge ($15,000 cash prize and a new Windows laptop) in March 9-11 in Vancouver, British Columbia.
The issue has been introduced in 03/05/2008.
Software: Microsoft Internet Explorer
Known/fameous malware:
Exploit:JS/CVE-2011-1345.
This issue was disclosed as part of the Pwn2Own 2011 contest.
Using this vulnerability Irish security researcher Stephen Fewer successfully hacked into a 64-bit Windows 7 (SP1) running Internet Explorer 8 to win CanSecWest hacker challenge ($15,000 cash prize and a new Windows laptop) in March 9-11 in Vancouver, British Columbia.
The issue has been introduced in 03/05/2008.
Links:
https://technet.microsoft.com/en-us/library/security/ms11-018
http://www.computerworld.com/article/2506697/cybercrime-hacking/safari--ie-hacked-first-at-pwn2own.h...
https://twitter.com/aaronportnoy/statuses/45642180118855680
http://www.zdnet.com/article/pwn2own-2011-ie8-on-windows-7-hijacked-with-3-vulnerabilities/
https://archive.cert.uni-stuttgart.de/bugtraq/2011/04/msg00159.html
https://packetstormsecurity.com/files/100469/Microsoft-Internet-Explorer-Property-Change-Memory-Corr...
Remote code execution in Microsoft Internet Explorer
CVE-2010-3971
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when parsing CSS styles. A remote attacker can create a specially crafted web page containing Cascading Style Sheet that refers to itself recursively, cause memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability appears to be connected to the group of Chinese hackers responsible for unleashing a pair of Java zero-day exploits in 2012. After examining of the geographical location of the targets for CVE-2010-3971, these attack attempts bear a close resemblance to those targeting CVE-2010-3962, another Internet Explorer issue that was dubbed as the Weekend Warrior.
Software: Microsoft Internet Explorer
Known/fameous malware:
Virus HTML:CVE-2010-3971-A
Links:
https://technet.microsoft.com/library/security/2488013
https://technet.microsoft.com/library/security/ms11-003
https://blogs.technet.microsoft.com/srd/2011/01/07/assessing-the-risk-of-public-issues-currently-bei...
https://blogs.technet.microsoft.com/msrc/2010/12/22/microsoft-releases-security-advisory-2488013/
https://blogs.technet.microsoft.com/mmpc/2011/02/08/cve-2010-3971-not-quite-the-weekend-warrior/
https://krebsonsecurity.com/2012/10/in-a-zero-day-world-its-active-attacks-that-matter/#more-16949
Privilege escalation in Windows Task Scheduler
CVE-2010-3338
Privilege escalation
The vulnerability allows a local user obtain elevated privileges on vulnerable system.
The vulnerability exists in Windows Task Scheduler when running scheduled tasks within the intended security context. A local user can create a specially crafted task and execute arbitrary code on vulnerable system with privileges of the local system account.
Successful exploitation of this vulnerability may allow a local user to obtain full access to vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability was used by Stuxnet.
Software: Windows
Known/fameous malware:
W32.Stuxnet TDL-4 rootkit (TDSS) Trojan.Generic.KDV.128306
Links:
https://technet.microsoft.com/library/security/ms10-092
http://news.softpedia.com/news/Fake-YouTube-Pages-Serve-Trojan-via-Malicious-Java-Applets-186033.sht...
https://securelist.com/analysis/monthly-malware-statistics/36338/monthly-malware-statistics-december...
https://hotforsecurity.bitdefender.com/blog/java-badware-posing-as-youtube-plugin-1025.html
Use-after-free when parsing CSS in Internet Explorer
CVE-2010-3962
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use-after-free error when processing CSS token sequences and the clip attribute. A remote attacker can create a specially crafted HTML page, trick the victim into visiting it, cause memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability refers to cyberattacks, linked to the Nobel Peace Prize ceremony and G20-related malicious spam campaign reported in October 2010.
Software: Microsoft Internet Explorer
Known/fameous malware:
Exploit: Win32/CVE-2010-3962.A.
Links:
https://technet.microsoft.com/library/security/ms10-090 https://technet.microsoft.com/library/security/2458511
https://blogs.technet.microsoft.com/msrc/2010/11/02/microsoft-releases-security-advisory-2458511/
https://blogs.technet.microsoft.com/srd/2010/11/03/dep-emet-protect-against-attacks-on-the-latest-in...
https://www.symantec.com/security_response/writeup.jsp?docid=2010-110314-3703-99
https://www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/79/cve20103962-yet-another-zeroday...
https://www.zscaler.com/blogs/research/obfuscated-exploits-continue-target-cve-2010-0806-and-cve-201...
http://security.bkav.com/home/-/blogs/new-ie-zero-day-vulnerability-cve-2010-3962-/normal
http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=301764
https://blogs.technet.microsoft.com/mmpc/2010/12/09/cve-2010-3962-the-weekend-warrior/
https://www.malwaredomainlist.com/forums/index.php?topic=4399.0
http://global.ahnlab.com/global/upload/download/asecreport/ASEC_Report_Vol.11_Eng.pdf
Multiple privilege escalation vulnerabilities in Win32k.sys in Microsoft Windows
CVE-2010-2743
Improper validation of array index
The vulnerability allows a local user to execute arbitrary code with elevated privileges.
The vulnerability exists due to an error in Win32k.sys driver when handling keyboard layouts as the Windows kernel fails to validate that an array index is within the bounds of the array. A local user can load a specially crafted keyboard layout and execute arbitrary code on the target system with privileges of SYSTEM account.
Successful exploitation of this vulnerability may allow an attacker to escalate privileges on vulnerable system.
Note: this vulnerability is being actively exploited by Stuxnet.The vulnerability was discovered by Sergey Golovanov from Kaspersky Lab. The vulnerability was exploited by Stuxnet.
Software: Windows
Known/fameous malware:
W32.Stuxnet
Links:
https://technet.microsoft.com/en-us/library/security/ms10-073.aspx
https://blogs.technet.microsoft.com/srd/2010/10/12/assessing-the-risk-of-the-october-security-update...
https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-the-recent-windows-zero-day-escalation-of-...
http://news.softpedia.com/news/Microsoft-Patches-One-of-Two-Stuxnet-EoP-Vulnerabilities-160840.shtml
http://link.springer.com/chapter/10.1007%2F978-3-642-35211-9_81#page-1
http://www.welivesecurity.com/2010/10/15/win32k-sys-about-the-patched-stuxnet-exploit/
https://www.beyondtrust.com/blog/microsoft-patch-tuesday-october-2010/
http://www.welivesecurity.com/2010/10/15/win32k-sys-about-the-patched-stuxnet-exploit/
http://www.welivesecurity.com/2010/10/15/stuxnet-paper-revision/
Information disclosure in ASP.NET
CVE-2010-3332
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to improper handling of errors during encryption padding verification. A remote attacker can gain access to potentially sensitive encrypted information, such as view state, read files and possibly forge cookies.
Successful exploitation of the vulnerability may allow an attacker to gain access to sensitive information and potentially compromise vulnerable web application.
Note: this vulnerability is being publicly exploited.
Software: Microsoft .NET Framework
Links:
https://technet.microsoft.com/library/security/2416728
https://technet.microsoft.com/library/security/ms10-070
https://blogs.technet.microsoft.com/srd/2010/09/17/understanding-the-asp-net-vulnerability/
https://weblogs.asp.net/scottgu/important-asp-net-security-vulnerability
http://www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-secur...
https://trustfoundry.net/exploiting-net-padding-oracle-attack-ms10-070-cve-2010-3332-and-bypassing-m...
Remote code execution in Print Spooler service in Microsoft Windows
CVE-2010-2729
Improper access control
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to Windows Print Spooler service does not correctly restricts access permissions to create files for anonymous users. A remote attacker can send specially crafted RPC request to vulnerable service and upload malicious file to arbitrary location on the system.
This is a remote code execution vulnerability on Windows XP, since the guest account is enabled by default. On other operating systems this is a privilege escalation vulnerability, as only authenticated users have access to Print Spooler shares.
Successful exploitation of the vulnerability may result in remote code execution.
Note: this vulnerability is being actively exploited.
Two more CVEs refer to this vulnerability as well: CVE-2010-3888 and CVE-2010-3889. However since the vendor has issued advisory with different CVE number, we will use the one issued by Microsoft.
The vulnerability has been exploited in тАЬprint-bombтАЭ attack as Stuxnet worm.
Software: Windows
The vulnerability has been exploited in тАЬprint-bombтАЭ attack as Stuxnet worm.
Links:
https://technet.microsoft.com/en-us/library/security/ms10-061.aspx
https://securelist.com/analysis/kaspersky-security-bulletin/36345/kaspersky-security-bulletin-2010-s...
https://eatitorwearit.wordpress.com/tag/internal-attack/
https://svn.nmap.org/nmap-exp/sophron/nse-support/scripts/smb-vuln-ms10-061.nse
https://securelist.com/blog/incidents/29747/myrtus-and-guava-episode-ms10-061/ https://www.virusbulletin.com/conference/vb2010/abstracts/indepth-look-stuxnet
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23897
http://seclists.org/metasploit/2010/q3/385
http://link.springer.com/chapter/10.1007%2F978-3-642-35211-9_81#page-1
https://securingtomorrow.mcafee.com/mcafee-labs/stuxnet-update/
http://www.enigmasoftware.com/w32printlove-removal/
http://researchcenter.paloaltonetworks.com/2010/10/stuxnet-scada-malware/
Remote code execution in Microsoft Windows
CVE-2010-2568
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing icons to .lnk and .pif files within Windows Explorer. A remote attacker can create a specially crafted icon file, trick the victim into clicking on it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability was used by Stuxnet worm. According to Symantec the first exploitation of the vulnerability was discovered on 2008-02-13.
Software: Windows
Known/fameous malware:
Bloodhound.Exploit.343
W32.Stuxnet
W32.Changeup.C
W32.Ramnit
Links:
https://technet.microsoft.com/library/security/ms10-046
https://technet.microsoft.com/library/security/2286198
https://www.f-secure.com/weblog/archives/00001986.html
https://www.scmagazine.com/lnkexploitcve-2010-2568/article/558054/
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23801
http://www.welivesecurity.com/2010/07/22/a-few-facts-about-win32stuxnet-cve-2010-2568/
http://blogs.quickheal.com/stuxnet-cve-2010-2568-misconceptions-and-facts/
http://www.welivesecurity.com/2010/07/22/a-few-facts-about-win32stuxnet-cve-2010-2568/
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Remote code execution when parsing URLs in Microsoft Windows
CVE-2010-1885
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing URLs within Microsoft Help and Support Center. A remote attacker can create a specially crafted hcp:// URL, trick the victim into clicking on it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability was reported to Microsoft on July, 5th by Google security researcher Tavis Ormandy.
The vulnerability was used to compromise Federal Financial Institutions Examination Council via тАЬinform@ffiec.govтАЭ mailbox.
Software: Windows
Known/fameous malware:
Mal/HcpExpl-A
The vulnerability was used to compromise Federal Financial Institutions Examination Council via тАЬinform@ffiec.govтАЭ mailbox.
Links:
https://www.sans.org/newsletters/newsbites/xii/46
https://technet.microsoft.com/library/security/2219475
https://technet.microsoft.com/library/security/ms10-042
https://blogs.technet.microsoft.com/srd/2010/06/10/help-and-support-center-vulnerability-full-disclo...
http://seclists.org/fulldisclosure/2010/Jun/205
http://www.theregister.co.uk/2010/06/10/windows_help_bug/
http://contagiodump.blogspot.com/2010/06/jun-17-win-xp-sp2-sp3-0-day-cve-2010.html
http://journeyintoir.blogspot.com/2010/12/cve-2010-1885-windows-help-center-url.html
https://nakedsecurity.sophos.com/2010/06/15/cve-20101885-exploited-wild/
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=50268
http://blog.talosintel.com/2010/07/increase-in-attacks-on-cve-2010-1885.html
https://www.zscaler.com/blogs/research/help-center-url-validation-vulnerability-cve-2010-1885-campai...
https://www.edgewave.com/spam-filters/cve-2010-1885-subpoena-threat-and-targeted-attack-against-us-c...
Buffer overflow in MPEG layer-3 codecs in Microsoft Windows
CVE-2010-0480
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to multiple boundary errors within Microsoft MPEG Layer-3 codecs when parsing AVI files. A remote unauthenticated attacker can create a specially crafted AVI file, trick the victim into opening it, trigger stack-based buffer overflow and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: the vulnerability was being actively exploited.
According to Symantec the first exploitation of the vulnerability was discovered on 26.03.2010.
Software: Windows
Known/fameous malware:
Bloodhound.Exploit.324
Links:
https://technet.microsoft.com/en-us/library/security/ms10-026.aspx
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24330
https://www.youtube.com/watch?v=aDhAAF19KUo
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/1901/microsoft-mpeg-layer3-audi...
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
Multiple vulnerabilities in Microsoft SharePoint
CVE-2010-0817
Cross-site scripting
The vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability exists due to insufficient sanitization of user-supplied input data passed to Help.aspx script. A remote attacker can trick the victim into following a specially crafted link and execute arbitrary HTML and script code in victimтАЩs browser in context of vulnerable SharePoint website.
Successful exploitation may allow an attacker to conduct phishing and drive-by-download attacks.
Note: this vulnerability is being publicly exploited.
Software: Microsoft SharePoint Server
Known/fameous malware:
Exploit: Win32/CVE-2010-0817
Remote code execution in Microsoft Internet Explorer
CVE-2010-0806
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use-after-free error in the Peer Objects component within iepeers.dll library. A remote attacker can create a specially crafted web page, trick the victim into visiting it and execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability is declared as functional and was handled as a non-public zero-day exploit for at least 3274 days. The story of CVE-2010-0806 bears a certain similarity to the developments in the case of the targeted 'Aurora' attack where the exploit techniques were quickly adopted by the authors of web exploit kits for the use in massive web attacks. The country that suffered a huge loss by malware in April 2010 was China, with 22% of malware attacks. It was followed by Russia (17%), USA (10%), India (4%) and Germany (4%).
Software: Microsoft Internet Explorer
Known/fameous malware:
Some of the variants: Trojan:Win32/Wisp, TrojanDropper:Win32/Lisiu, TrojanDropper:Win32/Agent.gen!I, TrojanDownloader:Win32/Small.gen!AZ, Backdoor:Win32/Agent.FS, TrojanDropper:Win32/Frethog.
Links:
https://blogs.technet.microsoft.com/msrc/2010/03/09/security-advisory-981374-released/
https://blogs.technet.microsoft.com/mmpc/2010/03/30/active-exploitation-of-cve-2010-0806/
http://blog.trendmicro.com/trendlabs-security-intelligence/new-ie-zero-day-exploit-cve-2010-0806/
https://www.zscaler.com/blogs/research/cve-2010-0806-exploit-wild
https://securingtomorrow.mcafee.com/mcafee-labs/targeted-internet-explorer-0day-attack-announced-cve...
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/BROWSER/MS10_018_IE_BEHAVIORS
http://techblog.omidfarhang.com/en-us/2010/04/09/singers-exploit-kit-version-cve-2010-0806/
https://blog.c22.cc/tag/cve-2010-0806/
http://www.spamfighter.com/News-14383-Kido-Still-Manages-to-be-the-Leading-Malware-Producer-in-April...
Integer overflow in Microsoft Paint
CVE-2010-0028
Integer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
he vulnerability exists due to integer overflow when processing JPEG files using Microsoft Paint. A remote attacker can create a specially crafted JPEG file, trick the victim into opening it using Microsoft Pain application, trigger integer overflow and execute arbitrary code on the target system with privileges of the current user.Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.The first attack using exploit for this vulnerability was detected in October 14, 2008 by Symantec. The attackers targeted 102 hosts using 127 malware variants.
Software: Paint
Known/fameous malware:
Bloodhound.Exploit.314
Remote code execution in Microsoft Internet Explorer
CVE-2010-0249
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use-after-free error in Microsoft Internet Explorer. A remote attacker can execute arbitrary code by accessing a pointer associated with a deleted object.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Aurora exploit was used in targeted attacks ("Aurora") on Google and other U.S. companies, and which Google claims originated in China. Source code was stolen from some of the more than 30 Silicon Valley companies targeted in the attack.
Software: Microsoft Internet Explorer
Links:
https://blogs.technet.microsoft.com/msrc/2010/01/14/security-advisory-979352-released/
https://technet.microsoft.com/library/security/979352
https://technet.microsoft.com/en-us/library/security/ms10-002.aspx
http://www.computerworld.com/article/2522723/government-it/microsoft-to-patch-bug-used-in-google-hac...
http://www.theregister.co.uk/2010/01/15/ie_zero_day_exploit_goes_wild/
https://www.cnet.com/news/new-ie-hole-exploited-in-attacks-on-u-s-firms/
https://www.zscaler.com/blogs/research/ie-0-day-govcn
https://www.nsslabs.com/blog/protecting-vulnerability-cve-2010-0249/
https://www.zscaler.com/blogs/research/aurora-exploit-still-floating
http://www.geoffchappell.com/notes/security/aurora/
https://googleblog.blogspot.com/2010/01/new-approach-to-china.html
http://indiatoday.intoday.in/story/Chinese+hackers+target+PMO/1/79215.html
https://www.wired.com/2010/01/operation-aurora/
http://developers-club.com/posts/81142/
https://blog.fortinet.com/2010/01/21/ms10-002-get-it-while-it-s-hot
Two remote code execution vulnerabilities in Microsoft Windows
CVE-2009-0555
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when processing malformed Advanced Systems Format (ASF) files. A remote attacker can create a specially crafted audio file that uses the Windows Media Speech code, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Windows Media Format Runtime
Multiple vulnerabilities in Microsoft Windows
CVE-2009-3126
Integer Overflow or Wraparound
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to integer overflow in GDI+ when handling PNG image file. A remote attacker can create a specially crafted PNG image file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: according to reports this vulnerability was being actively exploited before Microsoft issued security patch.
According to Symantec the first exploitation of the vulnerability was discovered on 2009-01-27.
Software: Windows
Known/fameous malware:
Bloodhound.Exploit.278.
Links:
https://technet.microsoft.com/en-us/library/security/ms09-062.aspx
https://nakedsecurity.sophos.com/2009/10/14/microsoft-adobes-october-2009-security-updates/
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
https://www.symantec.com/security_response/writeup.jsp?docid=2009-101906-3351-99
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Multiple vulnerabilities in Microsoft Windows
CVE-2009-2501
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to heap-based buffer overflow in GDI+ when handling PNG image file. A remote attacker can create a specially crafted PNG image file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
According to Symantec the first exploitation of the vulnerability was discovered on 2009-01-07.
Software: Windows
Known/fameous malware:
Bloodhoud.Exploit.277
Links:
http://www.its.ms.gov/Services/SecurityAlerts/2009-10-14-multiple_vulnerabilities_in_gdi_could_allow...
https://technet.microsoft.com/en-us/library/security/ms09-062.aspx
https://nakedsecurity.sophos.com/2009/10/14/microsoft-adobes-october-2009-security-updates/
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Two vulnerabilities in Microsoft IIS FTP server
CVE-2009-3023
Stack-based buffer overflow
The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.The weakness exists due to stack-based buffer overflow in FTP server. A remote authenticated attacker can send a specially crafted FTP NLST command containing a wildcard that references a subdirectory, trigger memory corruption and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The issue has been introduced in 06/02/1998. The weakness was publicly disclosed on August 31, 2009 by Kingcope. The vulnerability was handled as a non-public zero-day exploit.
Software: Microsoft IIS
Denial of service in Microsoft .NET Framework
CVE-2009-1536
Denial of service
The vulnerability allows a remote attacker to cause DoS conditions on the target system.The weakness exists due to incorrect managing of request scheduling by ASP.NET. By sending multiple HTTP requests, a remote attacker can trigger the Web server to crash.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft .NET Framework
Remote code execution in Microsoft Windows
CVE-2009-2493
Improper initialization
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to improper initialization in the Microsoft Active Template Library (ATL) when handling objects from data streams related to unsafe usage of OleLoadFromStream() function. A remote attacker can create a specially crafted Web site that instantiates a vulnerable component or control using the IE browser, trick the victim into viewing it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft Active Template Library
Links:
https://technet.microsoft.com/library/security/973882
http://www.adobe.com/support/security/advisories/apsa09-04.html
https://technet.microsoft.com/en-us/library/security/ms09-055.aspx
http://www.itsecdb.com/oval/definition/oval/org.mitre.oval/def/6621/ATL-COM-Initialization-Vulnerabi...
http://blogs.adobe.com/psirt/?p=52
Remote code execution in Microsoft Office Web Components
CVE-2009-1136
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in Office Web Components ActiveX Control when handling parameter values. A remote attacker can create a specially crafted Web page, trick the victim into viewing it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft Office
Links:
https://technet.microsoft.com/library/security/973472
https://isc.sans.edu/diary/Vulnerability+in+Microsoft+Office+Web+Components+Control+Could+Allow+Remo...
https://blogs.technet.microsoft.com/msrc/2009/07/13/microsoft-security-advisory-973472-released/
https://technet.microsoft.com/en-us/library/security/ms09-043.aspx
http://www.zerodayinitiative.com/advisories/ZDI-09-054/
http://www.securiteam.com/cves/2009/CVE-2009-1136.html
http://stateofsecurity.com/wp-content/uploads/2009/07/ExploitRA071409.pdf
Remote code execution in Microsoft Video ActiveX Control
CVE-2008-0015
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to stack-based buffer overflow in the Microsoft Video ActiveX Control, msvidctl.dll. By persuading a victim to visit a specially crafted Web page, a remote attacker can trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability has been exploited in the wild since June 11, 2009 (as discovered by X-Force) and was touted by the media and by SANS as being exploited in the wild on July 6, 2009.
According to Symantec research first exploitation of the vulnerability was detected on 2008-12-28.
Software: Microsoft Video ActiveX Control
Known/fameous malware:
HTML/CVE-2008-0015
Bloodhoud.Exploit.259
According to Symantec research first exploitation of the vulnerability was detected on 2008-12-28.
Links:
https://technet.microsoft.com/en-us/library/security/972890
https://technet.microsoft.com/en-us/library/security/ms09-032.aspx
https://isc.sans.edu/diary/0-day+in+Microsoft+DirectShow+%28msvidctl.dll%29+used+in+drive-by+attacks...
https://blogs.technet.microsoft.com/srd/2009/08/11/ms09-037-why-we-are-using-cves-already-used-in-ms...
https://www.symantec.com/security_response/writeup.jsp?docid=2009-070605-3347-99
http://www.pandasecurity.com/mediacenter/malware/social-engineering-pdfs-and-banking-trojans/
http://tpmitigation.sourceforge.net/
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Multiple vulnerabilities in Microsoft Excel
CVE-2009-0561
Integer Overflow or Wraparound
The vulnerability alows a remote attacker to execute arbitrary code on the target system.The weakness exists due to integer overflow when parsing the Excel spreadsheet file format. A remote attacker can create a specially crafted Excel file containing a malformed object record, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
According to Symantec the first exploitation of the vulnerability was discovered on 11.01.2009.
Software: Microsoft Excel
Known/fameous malware:
Bloodhound.Exploit.251
Links:
https://technet.microsoft.com/en-us/library/security/ms09-021.aspx
https://www.symantec.com/security_response/writeup.jsp?docid=2009-061802-2317-99&tabid=2
https://www.symantec.com/security_response/writeup.jsp?docid=2009-061802-2317-99
http://telussecuritylabs.com/threats/show/TSL20090609-22
https://www.youtube.com/watch?v=-X51L07fk48
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Multiple vulnerabilities in Microsoft Excel
CVE-2009-1134
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow when parsing the Excel spreadsheet file format. A remote attacker can create a specially crafted Excel file containing a malformed record pointer, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: according to reports this vulnerability was being actively exploited before Microsoft issued security patch.
The vulnerability has been exploited over a year and was reported to vendor on 2009-03-26.
According
to Symantec the first exploitation of the vulnerability was discovered on 2008-07-25.
Software: Microsoft Excel
Known/fameous malware:
Bloodhound.Exploit.254.
According to Symantec the first exploitation of the vulnerability was discovered on 2008-07-25.
Links:
https://downloads.avaya.com/css/P8/documents/100062475
http://www.securityfocus.com/archive/1/archive/1/504213/100/0/threaded
https://technet.microsoft.com/en-us/library/security/ms09-021.aspx
https://books.google.com.ua/books?id=1E0SCAAAQBAJ&pg=PA275&lpg=PA275&dq=CVE-2009-1134&source=bl&ots=...
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Multiple priviledge escalation vulnerabilities in Microsoft Windows
CVE-2009-1123
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to improper validation of changes in certain kernel objects. By running a malicious application, a local attacker can submit malformed calls to the Windows Kernel and execute arbitrary code in kernel mode.
Successful exploitation of the vulnerability results in privilege escalation allowing to execute arbitrary code and take complete control of an affected system.
Note: according to reports this vulnerability was being actively exploited before Microsoft issued security patch.
This vulnerability was used by Equation group in attacks, which involved Fanny malware. The exploit is later added to Stuxnet malware. Initially discovered by Kaspersky Lab in December 2008.
Microsoft bulletin describing 4 vulnerabilities is not clear on which vulnerability was used during the attacks. We are aware of at least two publicly disclosed exploits from this bulletin used by different malware in targeted attacks during Operation Pawn Storm and Turla.
The CVEs covered in this bulletin: CVE-2009-1123, CVE-2009-1124, CVE-2009-1125, CVE-2009-1126. At least one of them has being exploited in the wild before official security patch.
Software: Windows
Known/fameous malware:
Exploit kits: Fanny, Stuxnet, Turla.
Microsoft bulletin describing 4 vulnerabilities is not clear on which vulnerability was used during the attacks. We are aware of at least two publicly disclosed exploits from this bulletin used by different malware in targeted attacks during Operation Pawn Storm and Turla.
The CVEs covered in this bulletin: CVE-2009-1123, CVE-2009-1124, CVE-2009-1125, CVE-2009-1126. At least one of them has being exploited in the wild before official security patch.
Remote code execution in Microsoft DirectX
CVE-2009-1537
Null byte interaction error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to NULL byte error in DirectX. A remote attacker can create a specially crafted QuickTime media file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft DirectX
Known/fameous malware:
Exploit:JS/Mult.BM
Exploit:Win32/CVE-2009-1537
Links:
https://blogs.technet.microsoft.com/srd/2009/05/28/new-vulnerability-in-quartz-dll-quicktime-parsing...
https://blogs.technet.microsoft.com/msrc/2009/05/28/microsoft-security-advisory-971778-vulnerability...
https://technet.microsoft.com/en-us/library/security/ms09-028.aspx
https://isc.sans.edu/forums/diary/Microsoft+DirectShow+vulnerability/6481/
https://technet.microsoft.com/library/security/971778
https://www.security-database.com/detail.php?alert=CVE-2009-1537
http://www.marketwired.com/press-release/skyrecon-identifies-two-vulnerabilities-in-windows-directsh...
http://doa.alaska.gov/ets/security/S_Advisory/SA2009-028.pdf
https://technet.microsoft.com/library/security/ms09-028
Multiple vulnerabilities in Microsoft Powerpoint
CVE-2009-0556
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when handling malformed PowerPoint files. A remote attacker can create a specially crafted PowerPoint file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Microsoft PowerPoint
Links:
https://technet.microsoft.com/en-us/library/security/ms09-017.aspx
http://www.zerodayinitiative.com/advisories/ZDI-09-019/
http://contagiodump.blogspot.com/2010/07/jul-8-cve-2009-0556-china-and-cheonan.html
https://blog.qualys.com/laws-of-vulnerabilities/2009/05
https://www.lexsi.com/securityhub/1-2-3-patch-day-2/?lang=en
https://www.mycert.org.my/en/services/advisories/mycert/2009/main/detail/663/index.html
http://www.welivesecurity.com/2014/10/31/two-recently-patched-adobe-flash-vulnerabilities-now-used-e...
https://www.auscert.org.au/render.html?it=10978
https://www.mycert.org.my/en/services/advisories/mycert/2009/main/detail/663/index.html
https://www.symantec.com/connect/blogs/microsoft-patch-tuesday-may-2009
https://blogs.technet.microsoft.com/msrc/2009/05/12/may-2009-bulletin-release/
https://blogs.technet.microsoft.com/srd/2009/05/12/ms09-017-an-out-of-the-ordinary-powerpoint-securi...
Multiple vulnerabilities in Microsoft Windows
CVE-2009-0080
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to incorrect placing of access control lists (ACLs) on threads in the current ThreadPool. By leveraging incorrect thread ACLs an attacker can access NetworkService or LocalService account, obtain elevated privileges and execute code with privileges of SYSTEM account.
Successful exploitation of the vulnerability results in privilege escalation allowing to execute arbitrary code and take complete control of an affected system.
Note: this vulnerability was being actively exploited.
Known as "Token Kidnapping".
Software: Windows
Multiple vulnerabilities in Microsoft Windows
CVE-2009-0079
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to improper isolation of processes in the RPCSS service. Accessing the computer under the context of a NetworkService or LocalService account an attacker can obtain privileged security tokens and execute code with privileges of SYSTEM account.
Successful exploitation of the vulnerability results in privilege escalation allowing to execute arbitrary code and take complete control of an affected system.
Note: this vulnerability was being actively exploited.
Known as "Token Kidnapping".
Software: Windows
Multiple vulnerabilities in Microsoft Windows
CVE-2009-0078
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to insufficient security protections in Windows Management Instrumentation (WMI) providers. Accessing the computer under the context of a NetworkService or LocalService account an attacker can obtain privileged security tokens and execute code with privileges of SYSTEM account.
Successful exploitation of the vulnerability results in privilege escalation allowing to execute arbitrary code and take complete control over the affected system.
Note: this vulnerability was being actively exploited.
Knows as Token Kidnapping.
Software: Windows
Multiple vulnerabilities in Microsoft Windows
CVE-2009-0087
Memory corruption
The vulnerability alows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow when process documents in Microsoft WordPad and Microsoft Office converter. A remote attacker can create a specially crafted Word file containing a malformed data, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was handled as a non-public zero-day exploit for at least 3344 days. The issue has been introduced in 02/17/2000.
The vulnerability was firstly disclosed in June 17, 2008.
Software: Windows
The vulnerability was firstly disclosed in June 17, 2008.
Remote code execution in Microsoft Windows
CVE-2009-0084
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error when processing a malformed JPEG file. A remote attacker can create a specially crafted JPEG file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability is being actively exploited.
According to Symantec the first exploitation of the vulnerability was discovered on 2008-10-23.
Software: Microsoft DirectX
Two vulnerabilities in Microsoft IIS FTP server
CVE-2009-2521
Improper input validation
The vulnerability allows a remote authenticated attacker to cause DoS conditions on the target system.The weakness exists due to an error when processing recursive directory listing commands by the FTP Service. By sending a specially crafted LIST command containing wildcard characters, a remote attacker can trigger the FTP service to crash.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.
Note: the vulnerability was being actively exploited.
The issue has been introduced in 02/17/2000. The weakness was disclosed on 09/04/2009 by Kingcope.
Software: Microsoft IIS
Remote code execution in Microsoft Excel
CVE-2009-0238
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when parsing the Excel spreadsheet file format. A remote attacker can create a specially crafted Excel file containing a malformed object, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Microsoft Excel
Known/fameous malware:
TROJ_MDROPPER.XR (TrendMicro)
Exploit - MSExcel.r (McAfee)
Trojan.Mdropper.AC (Symantec)
Links:
https://technet.microsoft.com/en-us/library/security/968272.aspx
https://technet.microsoft.com/en-us/library/security/ms09-009.aspx
https://www.symantec.com/security_response/writeup.jsp?docid=2009-022310-4202-99
https://www.secureworks.com/blog/research-20953
https://www.us-cert.gov/ncas/alerts/TA09-104A
http://blog.trendmicro.co.jp/archives/2596
https://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2009/av09-018-eng.aspx
https://downloads.avaya.com/css/P8/documents/100063922
https://www.paulstechtalk.com/2009/04/microsoft-released-april-patch-list-for-patch-tuesday/
Remote code execution in Microsoft Windows
CVE-2008-4844
Use-after-free
The vulnerability alows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error in the CRecordInstance::TransferToDestination function in mshtml.dll in Microsoft Internet Explorer. A remote attacker can construct a specially crafted Web page, trick the victim into viewing it, trigger memory corruption and execute arbitrary code via DSO bindings involving an XML Island, XML DSOs, or Tabular Data Control (TDC) in a crafted HTML or XML document.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft Internet Explorer
Links:
https://technet.microsoft.com/library/security/ms08-078
https://technet.microsoft.com/library/security/961051
https://secunia.com/advisories/33089
http://marc.info/?l=bugtraq&m=123015308222620&w=2
http://www.kb.cert.org/vuls/id/493881
https://securityandthe.net/2008/12/17/its-official-ms08-78-fixing-critical-ie-bug/
Remote code execution in Microsoft Word
CVE-2008-4841
Stack-based buffer overflow
The vulnerability alows a remote authenticated attacker to execute arbitrary code on the target system.The weakness exists due to stack overflow when parsing a malicious document. A remote attacker can create a specially crafted Word file containing a malformed list structure, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft WordPad
Known/fameous malware:
Exploit: Win32/CVE-2008-4841
Links:
https://technet.microsoft.com/library/security/960906
https://technet.microsoft.com/en-us/library/security/ms09-010.aspx
https://www.us-cert.gov/ncas/alerts/TA09-104A
http://www.openwall.com/lists/oss-security/2009/01/21/9
https://www.suse.com/security/cve/CVE-2008-4841
http://contagiodump.blogspot.com/2010/04/cve-2008-4841-wordpad-text-converter.html
Two remote code execution vulnerabilities in Microsoft Windows
CVE-2008-2249
Integer Overflow or Wraparound
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to integer overflow when processing malformed WMF image file. By persuading the victim to open a specially crafted WMF image file containing a malformed header, a remote attacker can cause memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: according to reports this vulnerability was being actively exploited before Microsoft issued security patch.
Software: Windows
Known/fameous malware:
Bloodhound.Exploit.214.
Links:
https://technet.microsoft.com/en-us/library/security/ms08-071.aspx
http://seclists.org/fulldisclosure/2008/Dec/283
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
https://ae.norton.com/security_response/print_writeup.jsp?docid=2008-121611-4833-99
https://www.cnet.com/news/microsoft-fixes-28-flaws-6-are-critical/
https://www.qualys.com/research/security-alerts/2008-12-09/microsoft/
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Remote code execution in Microsoft Windows
CVE-2008-4250
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow during path canonicalization in Windows Server service. By sending a specially crafted RCP request, a remote attacker can cause memory corruption and execute arbitrary code with privileges of system account.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Windows
Known/fameous malware:
Trojan (Gimmiv.A) and a Trojan searching for non-patched machines on LAN (Arpoc.A)
W32.Downadup aka ConямБcker
W32.Downadup.B
W32.Fujacks.CE
W32.Neeris.C
W32.Wapomi.B
Links:
http://marc.info/?l=bugtraq&m=122703006921213&w=2
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23179
http://blog.disects.com/2014/05/metasploit-gaining-access-using-ms08.html
http://www.beyondsecurity.com/scan_pentest_network_vulnerabilities_server_service_allows_code_execut...
http://www.bleepingcomputer.com/forums/t/401254/norton-blocked-an-attack-by-os-attack-ms-windows-ser...
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Remote code execution in Microsoft Windows
CVE-2008-3704
Memory corruption
The vulnerability alows a remote attacker to execute arbitrary code on the target system.The weakness exists due to a buffer overflow in the Masked Edit ActiveX Control. A remote attacker can construct a specially crafted Web page, trick the victim into viewing it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Microsoft Masked Edit ActiveX Control
Remote code execution in Microsoft Word
CVE-2008-2244
Memory corruption
The vulnerability alows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow when handling malformed Word files. A remote attacker can create a specially crafted Word file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was being used in a 2008 Summer Olympics-themed attack.
Software: Microsoft Word
Links:
https://technet.microsoft.com/en-us/library/security/ms08-042.aspx
https://technet.microsoft.com/library/security/953635
https://isc.sans.edu/diary/Unpatched+Word+Vulnerability/4696
https://blogs.technet.microsoft.com/msrc/2008/07/08/msrc-blog-microsoft-security-advisory-953635/
https://www.cnet.com/news/microsoft-fixes-26-flaws-with-11-patches-six-are-critical/
http://blog.trendmicro.com/trendlabs-security-intelligence/let-the-games-begin/
http://cnii.cybersecurity.my/main/resources/vdb/VDB-1-NWS_JULY_07081.pdf
https://www.mycert.org.my/en/services/advisories/mycert/2008/main/detail/591/index.html
Remote code execution in Microsoft Access
CVE-2008-2463
Memory corruption
The vulnerability alows a remote attacker to execute arbitrary code on the target system.The weakness exists due to buffer overflow in the ActiveX control for the Snapshot Viewer for Microsoft Access. A remote attacker can construct a specially crafted Web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Microsoft Office
Known/fameous malware:
JS/Exploit.CVE-2008-2463.A
Exploit kits using this vulnerability: Eleonore and Siberia.
Links:
https://technet.microsoft.com/en-us/library/security/ms08-041.aspx
https://www.botnets.fr/wiki/CVE-2008-2463
https://blogs.technet.microsoft.com/msrc/2008/07/07/snapshot-viewer-activex-control-vulnerability/
http://www.kb.cert.org/vuls/id/837785
https://cve.circl.lu/cve/CVE-2008-2463
https://www.cnet.com/news/microsoft-fixes-26-flaws-with-11-patches-six-are-critical/
Remote code execution in Microsoft Windows Internet Printing Service
CVE-2008-1446
Integer overflow
The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.The weakness exists due to integer overflow in Windows Internet Printing Protocol (IPP) implementation. By sending a specially crafted HTTP POST request, a remote authenticated attacker can cause memory corruption and execute arbitrary code.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
According to US CERT, the targeted attacks were spotted on May 2, 2008.
Software: Windows
Privilege escalation in Microsoft Windows
CVE-2008-1436
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to improper security restrictions on security tokens in the Microsoft Distributed Transaction Coordinator (MSDTC) service. By sending a specially crafted request to the MSDTC service, an attacker can access privileged security tokens and execute code with privileges of SYSTEM account.
Successful exploitation of the vulnerability results in privilege escalation allowing to execute arbitrary code and take complete control of an affected system.
Note: this vulnerability was being actively exploited.
The vulnerability was used in Operation Iron Tiger, a cyber espionage campaign carried out by Chinese hackers on United States Defense Contractors.
Software: Windows
Links:
https://technet.microsoft.com/library/security/951306
http://www.securityfocus.com/archive/1/archive/1/497168/100/0/threaded
http://www.securityfocus.com/archive/1/archive/...
https://technet.microsoft.com/en-us/library/security/ms09-012.aspx
http://nomoreroot.blogspot.com/2008/10/windows-2003-poc-exploit-for-token.html
https://blogs.technet.microsoft.com/msrc/2008/04/17/msrc-blog-microsoft-security-advisory-951306/
https://www.erai.com/CustomUploads/ca/wp/2015_12_wp_operation_iron_tiger.pdf
Remote code execution in Microsoft Jet
CVE-2007-6026
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in Jet database engine when parsing .mdb files. A remote attacker can create a specially crafted .mdb file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is publicly disclosed since 2005, however an attack vector was introduced only in 2008. The vulnerability is being actively exploited.The vulnerability initially had three CVEs: CVE-2005-0944, CVE-2007-6026 and CVE-2008-1092.
The issue has been introduced on 02/17/2000. The vulnerability was handled as a non-public zero-day exploit for at least 2832 days.
Software: Microsoft Jet
Known/fameous malware:
Trojan.Acdropper.C
The issue has been introduced on 02/17/2000. The vulnerability was handled as a non-public zero-day exploit for at least 2832 days.
Links:
http://news.softpedia.com/news/Latest-Vulnerability-Attacks-Steer-Clear-of-Vista-SP1-but-Not-XP-SP3-...
https://www.symantec.com/security_response/writeup.jsp?docid=2008-032803-4407-99
https://co.norton.com/security_response/print_writeup.jsp?docid=2008-032619-5301-99
https://technet.microsoft.com/library/security/950627
https://technet.microsoft.com/library/security/ms08-028
Multiple vulnerabilities in Microsoft Excel
CVE-2008-0081
Memory corruption
The vulnerability alows a remote attacker to execute arbitrary code on the target system.The weakness exists due to a boundary error when handling macros in Excel files. A remote attacker can create a specially crafted Excel file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Microsoft Excel
Known/fameous malware:
mx97:cve-2008-0081 virus
Exploit-MSExcel.p
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2007-5347
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when handling certain DHTML object methods. A remote attacker can create a specially crafted HTML page, trick the victim into visiting it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Microsoft Internet Explorer
Privilege escalation in Macrovision SafeDisc driver for Microsoft Windows
CVE-2007-5587
Buffer overflow
The vulnerability allows a local user to escalation privileges on vulnerable system.
The vulnerability exists due to incorrect handling of configuration parameters within Macrovision SafeDisc SECDRV.SYS driver, shipped by default with Windows XP and Windows 2003 operating systems. A local user pass specially crafted parameters to METHOD_NEITHER IOCTL and execute arbitrary code on the target system with elevated privileges.
Successful exploitation of this vulnerability allows a local unprivileged user to elevate his privileges and gain administrative access to vulnerable system.
Note: the vulnerability is being actively exploited.
Software: Windows
Links:
http://www.securityfocus.com/archive/1/archive/1/482482/100/0/threaded
https://downloads.avaya.com/css/P8/documents/100063289
https://threats.kaspersky.com/en/vulnerability/KLA10257/
https://www.tenable.com/plugins/index.php?view=single&id=29311
https://technet.microsoft.com/en-us/library/security/ms07-067.aspx
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/security-advisories/(ms07-067)%20vuln...
https://www.dshield.org/diary/Windows%2BXP%2Band%2B2003%2Blocal%2Bprivilege%2Bescalation%2Bvulnerabi...
https://blogs.technet.microsoft.com/msrc/2007/11/05/msrc-blog-security-advisory-944653/
Remote code execution via URI handlers in Microsoft Windows
CVE-2007-3896
OS command injection
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to insufficient filtration of URIs in Shell32.dll when open applications via URL handlers (e.g. mailto:). A remote attacker can create a specially crafted URI, containing invalid sequence of % characters, trick the victim to click on it and execute arbitrary system commands with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Windows
Remote code execution in Microsoft Word
CVE-2007-3899
Memory corruption
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling malformed strings in Word document. A remote attacker can create a specially crafted MS Word document, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Microsoft Word
Remote code execution in Microsoft DNS server
CVE-2007-1748
Stack-based buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing RPC requests in Microsoft Windows DNS server, which contain long zone name parameter with escaped octal strings.
A remote attacker can send a specially crafted RPC request to vulnerable DNS server, cause stack-based buffer overflow and execute arbitrary code on vulnerable system.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Windows Server
Remote code execution in Microsoft Windows
CVE-2007-0038
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling cursor, animated cursor, and icon formats. A remote attacker can create a specially crafted malicious cursor or icon file, cause buffer overflow and execute arbitrary code on vulnerable system.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered in the wild by McAfee.
Software: Windows
Links:
http://www.priveon.com/dmdocuments/PV-A-070003A.pdf
http://www.securityfocus.com/archive/1/464339/100/0/threaded
https://isc.sans.edu/diary/Windows+Animated+Cursor+Handling+vulnerability+-+CVE-2007-0038/2534
https://technet.microsoft.com/library/security/935423
https://technet.microsoft.com/en-us/library/security/ms07-017.aspx
Remote code execution in Microsoft Word
CVE-2007-0870
Memory corruption
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling malformed stream in Word document. A remote attacker can create a specially crafted MS Word document, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
According to CERT, this vulnerability has been actively exploited in the wild before official patch release.
Software: Microsoft Word
Links:
http://www.kb.cert.org/vuls/id/332404
http://www.firstpost.com/business/biztech/business-tech/security/mcafee-solutions-for-windows-vulner...
https://technet.microsoft.com/en-us/library/security/933052.aspx
https://www.cnet.com/news/microsoft-fixes-nineteen-flaws-in-seven-patches-all-are-considered-critica...
https://nakedsecurity.sophos.com/2008/04/12/ole2-a-popular-malware-delivery-mechanism/
http://about-threats.trendmicro.com/ArchiveVulnerability.aspx?language=tw&name=(MS07-024)%20VULNERAB...
http://www.pcworld.com/article/130629/article.html
http://www.esecurityplanet.com/patches/article.php/3671041/Three-Critical-Fixes-For-Windows.htm
https://www.symantec.com/connect/tr/blogs/microsoft-patch-tuesday-may-2007?page=1
Buffer overflow in Microsoft Excel
CVE-2007-0671
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling malformed records in Excel files. A remote attacker can create a specially crafted Excel file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
The attack was reported on February 2007. The exploit dropped malware that used www.top10member.com C&C server. According to TrendMicro, the malware functionality was very similar to BKDR_SYKIPOT.B.
Software: Microsoft Excel
Known/fameous malware:
Exploit-MSExcel.h.
Links:
https://www.symantec.com/security_response/writeup.jsp?docid=2007-021911-2650-99
https://www.symantec.com/connect/blogs/latest-office-zero-day-vulnerability
https://technet.microsoft.com/en-us/library/security/ms07-015.aspx
https://technet.microsoft.com/library/security/932553
http://blog.trendmicro.com/trendlabs-security-intelligence/the-sykipot-campaign/
Remote code execution in Microsoft Word
CVE-2007-0515
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability is caused by boundary error when processing malformed function in Word files. A remote attacker can create a specially crafted Word file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Microsoft Word
Known/fameous malware:
Backdoor.Trojan Downloader
Backdoor.Pcclient.B (MCID 8260)
Backdoor.Ginwui.E (MCID 8890)
Trojan.Mdropper.W
Links:
http://blogs.quickheal.com/cve-2007-0515-exploit-targeted-attack/
https://technet.microsoft.com/en-us/library/security/ms07-014.aspx
https://www.symantec.com/connect/blogs/watch-exploit-targeted-attack-video
https://www.symantec.com/security_response/writeup.jsp?docid=2007-020511-5519-99
http://blogs.quickheal.com/cve-2007-0515-exploit-targeted-attack/
Buffer overflow in Internet Explorer VML
CVE-2007-0024
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in Vgx.dll library when handling Vector Markup Language (VML) tags. A remote attacker can create a specially crafted web page, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Microsoft Internet Explorer
Remote code execution in Microsoft Word
CVE-2006-6561
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability is caused by boundary error when processing an unchecked word count in Word files. A remote attacker can create a specially crafted Word file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
This vulnerability was publicly disclosed by Disco Jonny.
Software: Microsoft Word
Known/fameous malware:
Bloodhound.Exploit.108.
Links:
https://technet.microsoft.com/en-us/library/security/ms07-014.aspx
https://blogs.technet.microsoft.com/msrc/2006/12/15/update-on-current-word-vulnerability-reports/
https://www.symantec.com/security_response/writeup.jsp?docid=2006-121412-1329-99
https://www.symantec.com/connect/blogs/word-those-word-vulnerabilities
Remote code execution in Microsoft Word
CVE-2006-6456
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability is caused by boundary error when handling Word files with a specially crafted data structure. A remote attacker can create a specially crafted Word file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Microsoft Word
Known/fameous malware:
Trojan.Mdropper.U
Links:
https://technet.microsoft.com/library/security/ms07-014
https://blogs.technet.microsoft.com/msrc/2006/12/10/new-report-of-a-word-zero-day/
http://www.kb.cert.org/vuls/id/166700
https://blogs.technet.microsoft.com/msrc/2006/12/15/update-on-current-word-vulnerability-reports/
https://www.symantec.com/connect/blogs/word-those-word-vulnerabilities
Remote code execution in Microsoft Word
CVE-2006-5994
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability is caused by boundary error when handling Word files with a specially crafted string. A remote attacker can create a specially crafted Word file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Microsoft Word
Known/fameous malware:
Bloodhound.Exploit.106
Remote code execution in Microsoft XML Core Services
CVE-2006-5745
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error in XMLHTTP ActiveX control within Microsoft XML Core Services. A remote unauthenticated attacker can trick the victim to open a specially crafted web page and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability is being actively exploited.
The issue was discovered in the wild by ISS xForce.
Software: Microsoft XML Core Services
Remote code execution in Visual Studio WMIObjectBroker2 ActiveX control
CVE-2006-4704
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to incorrect handling of input data in Microsoft WMIScriptUtils.WMIObjectBroker2 ActiveX control (WmiScriptUtils.dll), bundled with Visual Studio 2005. A remote unauthenticated attacker can trick the victim to open a specially crafted web page or HTML file and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability is being actively exploited.
This vulnerability was publicly reported by Michal Bucko and H D Moore.
Software: Visual Studio
Remote code execution in WebViewFolderIcon ActiveX control in Microsoft Windows
CVE-2006-3730
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper validation of input parameters passed to vulnerable setSlice() method in WebViewFolderIcon ActiveX control (Web View). A remote attacker can create a specially crafted web page, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Windows
Remote code execution in Microsoft PowerPoint
CVE-2006-4694
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability is caused by a boundary error when parsing malformed records within the PowerPoint file. A remote attacker can create a specially crafted .ppt file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
It has been reported that the attack vector involves SlideShowWindows.View.GotoNamedShow.
Software: Microsoft PowerPoint
Known/fameous malware:
Exploit:Win32/Controlppt.W, Exploit:Win32/Controlppt.X, and Exploit-PPT.d/Trojan.PPDropper.F.
Remote code execution in Microsoft Windows
CVE-2006-4868
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to incorrect handling of input data in Vector Markup Language (VML) implementation (VGX.dll) in Microsoft Windows. A remote unauthenticated attacker can trick the victim to open a specially crafted web page or HTML file and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability is being actively exploited.
This vulnerability was reported by Sunbelt Software.
Software: Windows
Known/fameous malware:
Bloodhound.Exploit.78
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2006-4777
Heap-based buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to heap-based buffer overflow within DirectAnimation Path ActiveX control (daxctle.ocx) when handling unexpected input. A remote attacker can create a specially crafted web page, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Microsoft Internet Explorer
Multiple vulnerabilities in Microsoft Word
CVE-2006-4534
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.The weakness is due to stack-based buffer overflow. By persuading the victim to load and open a specially crafted Word document containing a malformed string, a remote attacker can execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
This vulnerability was reported by Juha-Matti Laurio.
Software: Microsoft Office
Known/fameous malware:
Trojan.Mdropper.Q
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2006-4446
Heap-based buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to heap-based buffer overflow in DirectAnimation.PathControl ActiveX control (daxctle.ocx) when handling unexpected input. A remote attacker can create a specially crafted web page, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Microsoft Internet Explorer
Buffer overflow in Microsoft Windows Server service
CVE-2006-3439
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in Microsoft Windows Server Service. A remote attacker can send a specially crafted packet to port 139/TCP or 445/TCP, trigger boundary error and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Windows
Remote code execution in Microsoft VBA
CVE-2006-3649
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.The weakness is due to buffer overflow. By persuading the victim to open a malicious Office document containing Visual Basic for Applications (VBA) script, a remote attacker can execute arbitrary code.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
The weakness was disclosed 08/08/2006 by Ka Chun Leung with Symantec.
Software: Microsoft Office
Known/fameous malware:
Trojan.Mdropper.N
Links:
http://www.microsoft.com/technet/security/Bulletin/MS06-047.mspx
ftp://ftp.cerias.purdue.edu/pub/advisories/ciac/q-fy06/q-274.Vul.in.Microsoft.Visual.Basic.txt
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/security-advisories/(ms06-047)%20vul...
https://www.symantec.com/content/en/us/enterprise/collateral/tech_briefs/11310863_HTTST_tb.pdf
Remote code execution in Microsoft PowerPoint
CVE-2006-3590
Memory corruption
The vulnerability allows a remote user to execute arbitrary code on the target system.The weakness is due to memory corruption in mso.dll. By persuading the victim to open a specially crafted PPT file, containing a malformed shape container, a remote attacker can execute arbitrary code on vulnerable system.
Successful exploitation of the vulnerability results in complete compromise of vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Microsoft PowerPoint
Known/fameous malware:
PPDropper.B Trojan.
Bloodhound.Exploit.79
Links:
https://blogs.securiteam.com/index.php/archives/508
http://www.microsoft.com/technet/security/Bulletin/MS06-048.mspx
http://www.microsoft.com/technet/security/advisory/922970.mspx
http://blogs.technet.com/msrc/archive/2006/07/14/441893.aspx
https://www.symantec.com/security_response/writeup.jsp?docid=2006-092614-1828-99&tabid=2
https://ae.norton.com/security_response/print_writeup.jsp?docid=2006-092614-1828-99
https://forums.whatthetech.com/index.php?showtopic=66223
Multiple vulnerabilities in Microsoft Office
CVE-2006-1540
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling malformed strings in Office documents. A remote attacker can create a specially crafted Office file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Software: Microsoft Office
Multiple vulnerabilities in Microsoft Excel
CVE-2006-1301
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to incorrect handling of input data when processing a malformed SELECTION record within Excel file. A remote unauthenticated attacker can trick the victim to open a specially crafted Excel file and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability was being actively exploited.Software: Microsoft Excel
Multiple vulnerabilities in Microsoft Excel
CVE-2006-3059
Remote code execution
The vulnerability allows a remote user to execute arbitrary code on the target system.The weakness is due to a stack-based buffer overflow in the HrShellOpenWithMonikerDisplayName() function. By persuading the victim to open a specially crafted Excel file, a remote attacker can cause DoS conditions or execute arbitrary code via a long hyperlink.
Successful exploitation of the vulnerability results in denial of service or arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Microsoft Excel
Known/fameous malware:
Mdropper.J Trojan.
Links:
https://technet.microsoft.com/en-us/library/security/ms06-037.aspx
http://www.kb.cert.org/vuls/id/394444
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/security-advisories/(ms06-037)%20vul...
https://home.mcafee.com/virusinfo/virusprofile.aspx?key=140010
https://blogs.technet.microsoft.com/msrc/2006/06/24/an-update-on-recent-public-issues/
https://www.cnet.com/news/buffer-overflow-in-microsoft-hyperlink-object-library/
Remote code execution in Microsoft Word
CVE-2006-2492
Remote code execution
The vulnerability allows a remote user to execute arbitrary code on the target system.The weakness is due to buffer overflow. By persuading the victim to open a specially crafted Word file containing a malformed object pointer, a remote attacker can execute arbitrary code.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Software: Microsoft Word
Known/fameous malware:
Mdropper.H Trojan.
SmartTag exploit.
Links:
https://technet.microsoft.com/en-us/library/security/ms06-027.aspx
https://blogs.technet.microsoft.com/msrc/2006/05/20/a-quick-check-in-on-the-word-vulnerability/
https://blogs.microsoft.com/microsoftsecure/2011/09/28/targeted-attacks-and-the-need-to-keep-documen...
http://www.networkworld.com/article/2266902/lan-wan/microsoft--rogue--security--software-a-rising-th...
https://www.theguardian.com/technology/blog/2010/apr/26/microsoft-security-intelligence-report
http://www.bcs.org/content/conWebDoc/11820
http://rbach.net/blog/index.php/msft-security-report/
http://garwarner.blogspot.com/2009/04/microsoft-security-intelligence-report.html
https://www.itnews.com.au/news/taiwanese-gang-exploits-microsoft-word-81693
http://www.marketwired.com/press-release/MessageLabs-Intelligence-Targeted-Attack-Report-Criminal-Ri...
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2006-1359
Memory corruption
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in createTextRange() DHTML method when handling unexpected user input for radio button control. A remote attacker can create a specially crafted web page, trick the victim into visiting it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.Note: this vulnerability is being actively exploited.
Software: Microsoft Internet Explorer
Known/fameous malware:
Kaspersky - Exploit.JS.CVE-2006-1359.d
Ikarus - Exploit.JS.CVE-2006-1359.d
Nod32 - JS/Exploit.CVE-2006-1359
Remote code execution in Microsoft Windows GDI
CVE-2005-4560
Buffer overflow
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in Microsoft Graphical Device Interface library (GDI32.DLL) when handling .wmf files. A remote attacker can create a specially crafted .wmf image file with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
This vulnerability was disclosed on December 27, 2005. We have decided however to include it into 2006 year due to very close timing.
Software: Windows